[57north-discuss] TLS Certificates for official 57North services

[Iain R. Learmonth]

Hi,

There was discussion last night regarding TLS certificates for 57North
services. In this email I will outline the current situation for TLS
certificates on our services, what I would like to see and also try to
outline some of the other opinions from last night (but I won't name anyone
in case I've misrepresented their view).

On the 28th March 2014 we were issued, free of charge, a wildcard
certificate for *.57north.co by GlobalSign as part of their free
certificates for Open Source projects programme. This is currently in use
for our website at https://57north.co/ although this certificate is not as
trusted as we were led to believe. I have often heard people complaining
that the certificate was not trusted, especially on Android devices.

Wildcard certificates, especially now that we have multiple servers running
our services, present security concerns in that any server would be able to
pretend to be any other. GlobalSign are not willing to renew this
certificate for free and it expires on the 29th March 2015.

As a free alternative, for new services like the new wiki announced last
night (expect an email about this shortly), I have been using CAcert
certificates. CAcert.org is a community-driven Certificate Authority that
issues certificates to the public at large for free.

Given that our current certificate is not that trusted, I don't see this as
introducing any new barriers to accessing our site. It was suggested that we
have the wiki as not HTTPS-only and I have temporarily agreed to this, but
it is important to remember that encryption is not only there to protect
passwords. Encryption stops those who are spying on your connection from
seeing what projects you are looking at, what themes you're reading about,
etc. in the same way that when you go to a public library people can see you
went to the library but not what books you have read. Reader privacy is
important and as a hackerspace, I believe, this is something we should be
promoting.

Don't forget that if we have unencrypted services because we're afraid
people may be put off by scary browser messages, the terrorists have won.

It was also proposed that for our primary public facing presence that we
used a paid certificate that was likely to be trusted in as many browsers as
possible. I would object the hackerspace funding this browser-based
terrorism where there are only a select few that get to choose who can be
trusted on the Internet, and I would hope other members would object to
their membership fees being spent in that way too.

I am only proposing the use of CAcert certificates until EFF's Let's Encrypt
is available for use. This would allow us to have browser trusted
certificates for free. You can learn more about this project in this video:

  http://media.ccc.de/browse/congress/2014/31c3_-_6397_-_en_-_saal_6_-_201412301400_-_let_s_encrypt_-_seth_schoen.html#video

Of course, we are a community, and it is important to discuss these issues
where it is our public facing presence being affected, and so I am opening
this for discussion on the mailing list. Please reply to this thread with
your views on the issue and any proposals you might have for this issue.

Thanks for your attention,
Iain.

-- 
e: irl at fsfe.org            w: iain.learmonth.me
x: irl at jabber.fsfe.org     t: EPVPN 2105
c: 2M0STB                  g: IO87we
p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.57north.co/pipermail/57north-discuss/attachments/20150107/47c47a28/attachment-0001.sig>