public inbox for [email protected]
help / color / mirror / Atom feedFrom: Magnus Hagander <[email protected]>
To: Joshua D. Drake <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: Peter Eisentraut <[email protected]>
Cc: [email protected]
Subject: Re: Community accounts and SSL
Date: Wed, 12 Mar 2008 23:00:28 +0100
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On Wed, 2008-03-12 at 14:33 -0700, Joshua D. Drake wrote:
> On Wed, 12 Mar 2008 17:25:11 -0400
> Tom Lane <[email protected]> wrote:
>
> > "Joshua D. Drake" <[email protected]> writes:
> > > That is certainly one way, but do we really need that? Isn't a self
> > > signed cert good enough?
> >
> > Self-signed certs on a public-facing website scream of amateurism.
> > Every time someone visits the site, their browser will complain
> > about it, and quite rightly.
>
> Well that isn't true. It asks once and that's it. I will admit
> though that FF3 certainly makes it abundantly clear that it doesn't like
> it that first time. As far as the amateurism, opinion vary :).
It does not. If you click the proper button in your browser, it doesn't
even let you in. If you click the second-least-improper one, it will
complain every time. Only if you pick the one option you're really not
supposed to pick, does it only complain once.
I dunno aobut other browsers, but in firefox the "bitch again next
session" is the default, and in modern IE versions, not letting you in
at all is the default.
Using a self-signed certificate is only secure if you somehow distribute
the self-signed certificate to all clients but a different, secure,
path.
> > If you wanna do this, you need to pony up some cash to Verisign or
> > one of the other recognized CAs.
>
> Well like I said, we can do that. If that is the way the community
> wants to go. A 5 year wildcard cert which could be used across all
> subdomains is about 500.00.
Wildcard cert might be an option. I don't recall which browsers they are
supported these days. It's also a potential security issue - we can't
use them on something like a shared host somewhere. Perhaps one, or when
we get more requirements a couple, of regular certificates is a better
way to go?
The free option is to use CACert. It's not included by default in any
browser (I think - maybe some really new one has it), but it does have
an actual statement of trust along with it.
//Magnus
view thread (8+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Community accounts and SSL
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox