[57north-discuss] TLS Certificates for official 57North services

[Andy Gaskell]

Hiya

I think issue may just be solved by the new semantic wiki.  The new wiki
looks great, and we'd discussed using this as our main website and CMS.  I
think this will be good as it'll mean we don't have duplicated info and
systems.  I'll happily white the MediaWiki skin, I can get stuck in and do
that next couple of week.  We can kind of make it look 'cool', and still be
a wiki I think.  Reason I mention that here is it perhaps solves this
perceived issue, as the wiki is accessible via http and https.

I would probably use MediaWiki Bootstrapskin (
http://www.mediawikibootstrapskin.co.uk/index.php?title=Main_Page ) as a
starting point, and do a bit of customising from there.

Cheers

Andy












On 7 January 2015 at 20:53, Iain R. Learmonth <irl at fsfe.org> wrote:

> Hi,
>
> There was discussion last night regarding TLS certificates for 57North
> services. In this email I will outline the current situation for TLS
> certificates on our services, what I would like to see and also try to
> outline some of the other opinions from last night (but I won't name anyone
> in case I've misrepresented their view).
>
> On the 28th March 2014 we were issued, free of charge, a wildcard
> certificate for *.57north.co by GlobalSign as part of their free
> certificates for Open Source projects programme. This is currently in use
> for our website at https://57north.co/ although this certificate is not as
> trusted as we were led to believe. I have often heard people complaining
> that the certificate was not trusted, especially on Android devices.
>
> Wildcard certificates, especially now that we have multiple servers running
> our services, present security concerns in that any server would be able to
> pretend to be any other. GlobalSign are not willing to renew this
> certificate for free and it expires on the 29th March 2015.
>
> As a free alternative, for new services like the new wiki announced last
> night (expect an email about this shortly), I have been using CAcert
> certificates. CAcert.org is a community-driven Certificate Authority that
> issues certificates to the public at large for free.
>
> Given that our current certificate is not that trusted, I don't see this as
> introducing any new barriers to accessing our site. It was suggested that
> we
> have the wiki as not HTTPS-only and I have temporarily agreed to this, but
> it is important to remember that encryption is not only there to protect
> passwords. Encryption stops those who are spying on your connection from
> seeing what projects you are looking at, what themes you're reading about,
> etc. in the same way that when you go to a public library people can see
> you
> went to the library but not what books you have read. Reader privacy is
> important and as a hackerspace, I believe, this is something we should be
> promoting.
>
> Don't forget that if we have unencrypted services because we're afraid
> people may be put off by scary browser messages, the terrorists have won.
>
> It was also proposed that for our primary public facing presence that we
> used a paid certificate that was likely to be trusted in as many browsers
> as
> possible. I would object the hackerspace funding this browser-based
> terrorism where there are only a select few that get to choose who can be
> trusted on the Internet, and I would hope other members would object to
> their membership fees being spent in that way too.
>
> I am only proposing the use of CAcert certificates until EFF's Let's
> Encrypt
> is available for use. This would allow us to have browser trusted
> certificates for free. You can learn more about this project in this video:
>
>
> http://media.ccc.de/browse/congress/2014/31c3_-_6397_-_en_-_saal_6_-_201412301400_-_let_s_encrypt_-_seth_schoen.html#video
>
> Of course, we are a community, and it is important to discuss these issues
> where it is our public facing presence being affected, and so I am opening
> this for discussion on the mailing list. Please reply to this thread with
> your views on the issue and any proposals you might have for this issue.
>
> Thanks for your attention,
> Iain.
>
> --
> e: irl at fsfe.org            w: iain.learmonth.me
> x: irl at jabber.fsfe.org     t: EPVPN 2105
> c: 2M0STB                  g: IO87we
> p: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49
>
> _______________________________________________
> 57north-discuss mailing list
> 57north-discuss at lists.57north.co
> http://lists.57north.co/listinfo/57north-discuss
>
>


-- 
Andy Gaskell
Head Developer
Software Systems: Open For Business
Email: ag at ssofb.co.uk
Web: http://www.ssofb.co.uk
Mobile: 07745 924 449
Office: 01224 312857
Skype: andy_at_ssofb
LinkedIn: http://www.linkedin.com/in/agaskell
Office: 40 Raeden Park Road, Aberdeen, AB15 5LQ.
Limited company: SC347800
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.57north.co/pipermail/57north-discuss/attachments/20150107/96433ca8/attachment-0001.html>