On Saturday 10 Mar 2012 17:15:04 Matthew Toseland wrote: > On Saturday 10 Mar 2012 17:00:36 Daxter wrote: > > On Mar 10, 2012, at 10:54 AM, Matthew Toseland wrote: > > > On Saturday 10 Mar 2012 16:44:55 Daxter wrote: > > >> On Mar 10, 2012, at 3:44 AM, Florent Daigniere wrote: > > >>> On Fri, Mar 09, 2012 at 07:11:19PM -0600, Daxter wrote: > > >>>> > > >>>> I'm all for HTTPS, but do we really want to outright *remove* > > >>>> functionality from the site? Sure, HTTP isn't secure and all "modern" > > >>>> web browsers support it. However, we would be making it harder for > > >>>> people to learn about Freenet and potentially try it out. > > >>>> > > >>> > > >>> Why? You could still access it over HTTP... and be presented with > > >>> (transparent) redirect to the secure version. > > >> > > >> I just scratched an itch and discovered that even Lynx supports HTTPS? > > >> If it really is the case that HTTPS has become so ubiquitous that users > > >> wouldn't be affected, then sure, go ahead with it. > > >> > > >> HOWEVER: the question really needs to be restated. Are there any > > >> countries or ISPs that are known to disallow secure communications? > > >> > > >>>> In the end I think we should do what every major website does today: > > >>>> encrypt the important data and let the entire site be accessible > > >>>> securely, but don't force it onto people. > > >>>> > > >>>> -Daxter > > >>> > > >>> It's very difficult to do and most websites do it wrong. You have to > > >>> think about mixed-content errors, cookie flags, ... > > >>> > > >>> Sending credentials in cleartext like we do on the wikis, with no > > >>> secure alternative, is a disgrace. > > >>> > > >>> Florent > > >> > > >> > > >> Can you give me an example of a website that in your mind does either > > >> the mixed model or the secure-only model properly? It would be nice to > > >> compare with them. > > >> > > >> Actually, the wiki supports HTTPS right now. You'll get a certificate > > >> error, but it works. > > > > > > Why do you get a cert error? We have a wildcard cert! > > >> > > >> While we're on the subject (as I've never bothered with HTTPS on the > > >> site until now), turns out it's rather misconfigured. Both the wiki and > > >> the main site return a certificate for emu.freenetproject.org? That > > >> address isn't accessible--what was it, and shouldn't we get this fixed? > > > > > > Eh? I thought we used the wildcard cert for everything? > > > > Nope, both are using a cert for emu.freenetproject.org. Also, the > > certificate is bound to expire on 4/27/2012 so we really should get this > > fixed! > > Are you sure it isn't a wildcard cert? Wildcard is an extension. IIRC I don't > see a warning on HTTPS://freenetproject.org/.
No, it's not, it just has a lot of alternate names. > > I agree we need to renew it though. :( > Need to chase this up. I believe me and Ian have access, I will deal soon. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20120310/bbfdd84a/attachment.pgp>
