Re: [Geany-Devel] Invalid certificate

2015-10-25 Thread Enrico Tröger 
Hi,


> some may have already said it, but certificate on https://lists.geany.org
> is invalid. I guess the one from Let's encrypt could be used (which now
> seems to be trusted)?

could you elobarate a bit what exactly you mean by "invalid"?
This is a wildcard certificate for *.geany.org and is valid until April
2016.
Your browser might try to trick you into the assumption the certificate
is invalid because your browser does not trust the CA of cacert.org who
signed our certificate. But this does not mean our certificate is
invalid. It's just that the major browser distributors don't accept the
root certificates of cacert.org.

And yes, we will think about using the new Let's Encrypt certificates.
However, as far as I know, the currently available certificates are also
not yet trusted by the majority of applications. Those new,
automatically trusted certificates will first be available some time in
November.

Regards,
Enrico

-- 
Get my GPG key from http://www.uvena.de/pub.asc



signature.asc
Description: OpenPGP digital signature
___
Devel mailing list
Devel@lists.geany.org
https://lists.geany.org/cgi-bin/mailman/listinfo/devel

Re: [Geany-Devel] Invalid certificate

2015-10-25 Thread Frank Lanitz 
Am 25.10.2015 um 13:17 schrieb Arthur Peka:
> 
> some may have already said it, but certificate
> on https://lists.geany.org is invalid. I guess the one from Let's
> encrypt could be used (which now seems to be trusted)?

They did a huge step forward, but AFAIK not yet done. By now we are
using CAcert and the certificate is not invalid only because your
browser doesn't know the CAcert root certificates¹. It's just untrusted.

However, the plan is, once the are real online we think about migration.

Cheers,
Frank

¹ http://www.cacert.org/index.php?id=3

P.S. Sorry, if this might sounded root. Not sure. Wasn't intended. SSL
is not just the green lock symbol, it's more. Even an selfsigned
certifcate can, well in most cases it is if you check fingerprints, be
more trustworthy than a signed one.



signature.asc
Description: OpenPGP digital signature
___
Devel mailing list
Devel@lists.geany.org
https://lists.geany.org/cgi-bin/mailman/listinfo/devel

Re: [Geany-Devel] Invalid certificate

2015-10-25 Thread Arthur Peka 
In my understanding "invalid" includes "signed by untrusted authority". I'm
no security expert, and for me browser reporting an invalid certificate is
a red flag - I'll have a hard time figuring out that cacert.org are in fact
the "good guys". I believe, this can also turn away some contributors, who
will think the page is abandoned/compromised, without looking into much
details.

As for let's encrypt - they reported several days ago that they are trusted
by major browsers -
https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html. Check
https://helloworld.letsencrypt.org/ - it's trusted.

BR,
Artur.

On Sun, Oct 25, 2015 at 2:35 PM, Frank Lanitz  wrote:

> Am 25.10.2015 um 13:17 schrieb Arthur Peka:
> >
> > some may have already said it, but certificate
> > on https://lists.geany.org is invalid. I guess the one from Let's
> > encrypt could be used (which now seems to be trusted)?
>
> They did a huge step forward, but AFAIK not yet done. By now we are
> using CAcert and the certificate is not invalid only because your
> browser doesn't know the CAcert root certificates¹. It's just untrusted.
>
> However, the plan is, once the are real online we think about migration.
>
> Cheers,
> Frank
>
> ¹ http://www.cacert.org/index.php?id=3
>
> P.S. Sorry, if this might sounded root. Not sure. Wasn't intended. SSL
> is not just the green lock symbol, it's more. Even an selfsigned
> certifcate can, well in most cases it is if you check fingerprints, be
> more trustworthy than a signed one.
>
>
> ___
> Devel mailing list
> Devel@lists.geany.org
> https://lists.geany.org/cgi-bin/mailman/listinfo/devel
>
>
___
Devel mailing list
Devel@lists.geany.org
https://lists.geany.org/cgi-bin/mailman/listinfo/devel

Re: [Geany-Devel] Invalid certificate

2015-10-25 Thread Frank Lanitz 
Hi,

Am 25.10.2015 um 14:41 schrieb Arthur Peka:
> In my understanding "invalid" includes "signed by untrusted authority".
> I'm no security expert, and for me browser reporting an invalid
> certificate is a red flag - I'll have a hard time figuring out
> that cacert.org  are in fact the "good guys". I
> believe, this can also turn away some contributors, who will think the
> page is abandoned/compromised, without looking into much details.

I'm aware of this and we dicussed it several times at some of our
mailinglists. Untrusted != invalid. Unfortunately people don't want to
understand this so browser developers decided to send in every case "OMG
we are gonna die"-error warnings and hiding the option "I know what I'm
doing". It's even getting hard and herder to ack a selfsigned
certificate from release of release of browser. This is bad. Now in
default it's easier to trust some company might forced by some
gouverment or whoever (stock owners maybe) to sign a not valid
certificate than to trust your very own self created certificate e.g.
for your personal intranet. But this is another topic and off topic here.

> As for let's encrypt - they reported several days ago that they are
> trusted by major browsers
> - https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html. Check
> https://helloworld.letsencrypt.org/ - it's trusted.

At least I'm aware of this and as Enrico mentioned we will go into
process of update maybe soon. this was the big step I was referring to.

So tl;dr: There will be an update on this kind of soonish.

Cheers,
Frank



signature.asc
Description: OpenPGP digital signature
___
Devel mailing list
Devel@lists.geany.org
https://lists.geany.org/cgi-bin/mailman/listinfo/devel

Re: [Geany-Devel] Invalid certificate

2015-10-25 Thread Arthur Peka 
Ok, glad to hear that.

BR,
Artur.

On Sun, Oct 25, 2015 at 3:58 PM, Frank Lanitz  wrote:

> Hi,
>
> Am 25.10.2015 um 14:41 schrieb Arthur Peka:
> > In my understanding "invalid" includes "signed by untrusted authority".
> > I'm no security expert, and for me browser reporting an invalid
> > certificate is a red flag - I'll have a hard time figuring out
> > that cacert.org  are in fact the "good guys". I
> > believe, this can also turn away some contributors, who will think the
> > page is abandoned/compromised, without looking into much details.
>
> I'm aware of this and we dicussed it several times at some of our
> mailinglists. Untrusted != invalid. Unfortunately people don't want to
> understand this so browser developers decided to send in every case "OMG
> we are gonna die"-error warnings and hiding the option "I know what I'm
> doing". It's even getting hard and herder to ack a selfsigned
> certificate from release of release of browser. This is bad. Now in
> default it's easier to trust some company might forced by some
> gouverment or whoever (stock owners maybe) to sign a not valid
> certificate than to trust your very own self created certificate e.g.
> for your personal intranet. But this is another topic and off topic here.
>
> > As for let's encrypt - they reported several days ago that they are
> > trusted by major browsers
> > - https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html. Check
> > https://helloworld.letsencrypt.org/ - it's trusted.
>
> At least I'm aware of this and as Enrico mentioned we will go into
> process of update maybe soon. this was the big step I was referring to.
>
> So tl;dr: There will be an update on this kind of soonish.
>
> Cheers,
> Frank
>
>
___
Devel mailing list
Devel@lists.geany.org
https://lists.geany.org/cgi-bin/mailman/listinfo/devel