On 2015-10-14 22:30, Jonathan Wilkes via Pd-dev wrote: > Oh wow, I guess it's been awhile since I've used Sourceforge. It looks like > they just offer svn (which isn't secure) and http by default. Yikes. > It's 2015. Users should get an encrypted connection to repos by default, no > exceptions. > It's extraordinary to me that you'd let the limitations of StartSSL's free > cert dictate the security of your users. But if that really is the limiting > factor, why can't you just wait half a year for EFF's "Let's Encrypt" project > to ship? Then you can get certs for however many subdomains you want, and a > whole class of potential attacks on your users will disappear.
whatever happens in half a year from now will happen then. we might switch to let's encrypt, use some chinese wildcard certificate or roll back to self-signed certs. > In the meantime, please don't teach users that it's ok to ignore basic > internet security (plus the big, red browser warnings) just because you don't > feel like paying money or asking one of many capable free-software > organizations for help. yawn. i'd rather teach people to learn the basic internet security (which is *not* about big, red browser warnings for anything as fundamentally flawed as a commercially driven certificate chain). in the meantime you could say "thanks, for doing a lot of work". your welcome. fgamsdr IOhannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pd-dev mailing list Pd-dev@lists.iem.at http://lists.puredata.info/listinfo/pd-dev
