Re: https everywhere update - dlang.org gets an "A" now!

[Basile B. via Digitalmars-d-announce]

On Friday, 11 December 2015 at 21:22:06 UTC, Basile B. wrote:
On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


https://www.youtube.com/watch?v=OqkYr5uIreg=youtu.be=49s


we're safe...

Re: https everywhere update - dlang.org gets an "A" now!

[Basile B. via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


https://www.youtube.com/watch?v=OqkYr5uIreg=youtu.be=49s

Re: https everywhere update - dlang.org gets an "A" now!

[Basile B. via Digitalmars-d-announce]

On Friday, 11 December 2015 at 21:24:07 UTC, Basile B. wrote:

On Friday, 11 December 2015 at 21:22:06 UTC, Basile B. wrote:
On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


https://www.youtube.com/watch?v=OqkYr5uIreg=youtu.be=49s


we're safe...


I hope you get the irony...

Re: https everywhere update - dlang.org gets an "A" now!

[Sönke Ludwig via Digitalmars-d-announce]

Now also certified (Let's Encrypt made this really straight forward):

https://code.dlang.org/
https://forum.rejectedsoftware.com/
https://vibed.org/

All pass with an A for the ssllabs.com test. I'll also setup default 
HTTP->HTTPS redirects.

Re: https everywhere update - dlang.org gets an "A" now!

[Kapps via Digitalmars-d-announce]

On Monday, 7 December 2015 at 14:38:39 UTC, Steven Schveighoffer 
wrote:

On 12/6/15 11:32 AM, Marc Schütz wrote:
On Sunday, 6 December 2015 at 14:17:18 UTC, Steven 
Schveighoffer wrote:
On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce 
wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is 
from*dlang.org

*
*
*
You will need a wild-card certificate (cheaper) or a 
certificate that
allows multiple domain names (more expensive, and probably 
not required)

for the cert to work.



Or redirect www.dlang.org to dlang.org


That won't help if someone already starts at 
https://www.dlang.org/ .


I'm surprised it wouldn't. I wouldn't think a redirect would 
need to be encrypted.


-Steve


It does. Otherwise you could bypass HTTPS entirely by replacing 
the redirect page with a non-encrypted copy of the dlang website 
with whatever modifications you like.

Re: https everywhere update - dlang.org gets an "A" now!

[Steven Schveighoffer via Digitalmars-d-announce]

On 12/6/15 11:32 AM, Marc Schütz wrote:

On Sunday, 6 December 2015 at 14:17:18 UTC, Steven Schveighoffer wrote:

On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is from*dlang.org
*
*
*
You will need a wild-card certificate (cheaper) or a certificate that
allows multiple domain names (more expensive, and probably not required)
for the cert to work.



Or redirect www.dlang.org to dlang.org


That won't help if someone already starts at https://www.dlang.org/ .


I'm surprised it wouldn't. I wouldn't think a redirect would need to be 
encrypted.


-Steve

Re: https everywhere update - dlang.org gets an "A" now!

[Chris Wright via Digitalmars-d-announce]

On Mon, 07 Dec 2015 14:48:52 +, Kapps wrote:
> On Monday, 7 December 2015 at 14:38:39 UTC, Steven Schveighoffer wrote:
>> I'm surprised it wouldn't. I wouldn't think a redirect would need to be
>> encrypted.
>>
>> -Steve
> 
> It does. Otherwise you could bypass HTTPS entirely by replacing the
> redirect page with a non-encrypted copy of the dlang website with
> whatever modifications you like.

Well, only if you're trying to protect against MITM attacks. If you're 
only worried about people packet sniffing, you can redirect from an 
unencrypted page without a care.

In a situation like this, where approximately no sensitive information is 
going back and forth, MITM isn't much of a concern (and packet sniffing 
isn't, either, for the most part, except if you're logging in with a 
password you reuse elsewhere).

Re: https everywhere update - dlang.org gets an "A" now!

[Steven Schveighoffer via Digitalmars-d-announce]

On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is from*dlang.org
*
*
*
You will need a wild-card certificate (cheaper) or a certificate that
allows multiple domain names (more expensive, and probably not required)
for the cert to work.



Or redirect www.dlang.org to dlang.org

-Steve

Re: https everywhere update - dlang.org gets an "A" now!

[Marc Schütz via Digitalmars-d-announce]

On Sunday, 6 December 2015 at 14:17:18 UTC, Steven Schveighoffer 
wrote:

On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is 
from*dlang.org

*
*
*
You will need a wild-card certificate (cheaper) or a 
certificate that
allows multiple domain names (more expensive, and probably not 
required)

for the cert to work.



Or redirect www.dlang.org to dlang.org

-Steve


That won't help if someone already starts at 
https://www.dlang.org/ .

Re: https everywhere update - dlang.org gets an "A" now!

[Adil Baig via Digitalmars-d-announce]

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is from*dlang.org
*

You will need a wild-card certificate (cheaper) or a certificate that
allows multiple domain names (more expensive, and probably not required)
for the cert to work.

Adil

On Sun, Dec 6, 2015 at 10:42 AM, mattcoder via Digitalmars-d-announce <
digitalmars-d-announce@puremagic.com> wrote:

> On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote:
>
>> Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.
>>
>
> This is what I get when I try: https://www.dlang.org/
>
> "Your connection is not private
>
> Attackers might be trying to steal your information from www.dlang.org
> (for example, passwords, messages, or credit cards).
> NET::ERR_CERT_COMMON_NAME_INVALID"
>
> Matheus.
>

Re: https everywhere update - dlang.org gets an "A" now!

[lobo via Digitalmars-d-announce]

On Sunday, 6 December 2015 at 05:12:29 UTC, mattcoder wrote:
On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


This is what I get when I try: https://www.dlang.org/

"Your connection is not private

Attackers might be trying to steal your information from 
www.dlang.org (for example, passwords, messages, or credit 
cards). NET::ERR_CERT_COMMON_NAME_INVALID"


Matheus.


This is what I get on firefox;

This Connection is Untrusted

You have asked Firefox to connect securely to www.dlang.org, but 
we can't confirm that your connection is secure.


[snip]...

Technical Details

www.dlang.org uses an invalid security certificate. The 
certificate is only valid for dlang.org (Error code: 
ssl_error_bad_cert_domain)


bye,
lobo

Re: https everywhere update - dlang.org gets an "A" now!

[Kapps via Digitalmars-d-announce]

On Sunday, 6 December 2015 at 08:29:07 UTC, Adil Baig wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org 
*; its security certificate is 
from*dlang.org *


You will need a wild-card certificate (cheaper) or a 
certificate that
allows multiple domain names (more expensive, and probably not 
required)

for the cert to work.

Adil


StartSSL allows for one subdomain on their free plan (which is 
generally the www subdomain). Letsencrypt allows for I think 5 
atm as well.

Re: https everywhere update - dlang.org gets an "A" now!

[mattcoder via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


This is what I get when I try: https://www.dlang.org/

"Your connection is not private

Attackers might be trying to steal your information from 
www.dlang.org (for example, passwords, messages, or credit 
cards). NET::ERR_CERT_COMMON_NAME_INVALID"


Matheus.

Re: https everywhere update - dlang.org gets an "A" now!

[deadalnix via Digitalmars-d-announce]

Forum widgets are broken on the home page.

Re: https everywhere update - dlang.org gets an "A" now!

[Saurabh Das via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

On 11/24/2015 10:59 AM, David Nadlinger wrote:
> On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright
wrote:
>> [...]
proper
>> [...]
fully https!
>
> There are a number of issues with how SSL is set up on the
server, from
> misconfiguration and/or outdated software:
> 
https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

>
> Compare this e.g. to issues.dlang.org, which achieves a solid
A grade (although
> it uses a SHA-1 intermediary certificate, which will lead to
issues soon):
> 
https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org=on

>
>   — David

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


This is great.

Can the certificate also be used for forum.dlang.org? I get a 
warning when I visit https://forum.dlang.org

Re: https everywhere update - dlang.org gets an "A" now!

[Jacob Carlborg via Digitalmars-d-announce]

On 2015-12-04 02:38, Brad Anderson wrote:


It's unfortunate it didn't come a bit sooner because now the NSA
knows I read the entire DUB JSON thread, much to my shame.


You can expect a bill for "Wasting Time" in the mail anytime soon now :)

--
/Jacob Carlborg

Re: https everywhere update - dlang.org gets an "A" now!

[Brad Anderson via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


Nice work by Jan. I know how big of a hassle things like this can 
be so taking the time to actually do it is much appreciated.


On a related note, Let's Encrypt hit public beta today[1]. With 
that I think we should be able to get all of the official 
infrastructure on TLS now. It's unfortunate it didn't come a bit 
sooner because now the NSA knows I read the entire DUB JSON 
thread, much to my shame.


1. https://letsencrypt.org/2015/12/03/entering-public-beta.html

Re: https everywhere update - dlang.org gets an "A" now!

[David Nadlinger via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


Thanks!

Also displays as https in Chrome now.

 — David

Re: https everywhere update - dlang.org gets an "A" now!

[Brad Roberts via Digitalmars-d-announce]

On 12/3/15 5:38 PM, Brad Anderson via Digitalmars-d-announce wrote:

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote:

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


Nice work by Jan. I know how big of a hassle things like this can be so taking 
the time to actually
do it is much appreciated.

On a related note, Let's Encrypt hit public beta today[1]. With that I think we 
should be able to
get all of the official infrastructure on TLS now. It's unfortunate it didn't 
come a bit sooner
because now the NSA knows I read the entire DUB JSON thread, much to my shame.

1. https://letsencrypt.org/2015/12/03/entering-public-beta.html


I'm glad that letsencrypt is out there doing the publicity, but getting and using ssl certs has been 
free via startssl for several years now.  What this new group is doing is the PR and marketing to 
get people to do it, of course under their own umbrella rather than another company's.


- Brad

Re: https everywhere update - dlang.org gets an "A" now!

[David Nadlinger via Digitalmars-d-announce]

On Friday, 4 December 2015 at 02:29:52 UTC, Brad Roberts wrote:
I'm glad that letsencrypt is out there doing the publicity, but 
getting and using ssl certs has been free via startssl for 
several years now.  What this new group is doing is the PR and 
marketing to get people to do it, of course under their own 
umbrella rather than another company's.


The free StartSSL thing was also nigh-unusable – when I gave it a 
try, their in-browser CSR gen thing broke on whatever recent 
version of Firefox I was using, which left me with no cert, but 
them claiming I had exhausted their offer. They also have this 
weird thing where they offer "one host name plus domain" only, 
and charge users for revoking their cert (!).


 — David

Re: https everywhere!

[Kapps via Digitalmars-d-announce]

On Saturday, 28 November 2015 at 04:17:19 UTC, Martin Nowak wrote:
On Tuesday, 24 November 2015 at 08:48:58 UTC, Vladimir 
Panteleev wrote:
Sorry, I'm not going to pay for my own SSL certificate :) 
You'll either have to share, or wait until Let's Encrypt goes 
live and I get around to setting it up.


You could either get a free startssl certificate 
https://gist.github.com/mgedmin/7124635 or we try to reverse 
proxy through dlang.org/forum or so.


Letsencrypt goes into open beta in a few days 
(https://letsencrypt.org/2015/11/12/public-beta-timing.html). 
Could use that since it's free, allows subdomains (unlike 
StartSSL), easy setup, and people theoretically aren't doing 
anything on the site / forums where a theoretical early 
vulnerability is a huge concern.

Re: https everywhere!

[Martin Nowak via Digitalmars-d-announce]

On Tuesday, 24 November 2015 at 08:48:58 UTC, Vladimir Panteleev 
wrote:
Sorry, I'm not going to pay for my own SSL certificate :) 
You'll either have to share, or wait until Let's Encrypt goes 
live and I get around to setting it up.


You could either get a free startssl certificate 
https://gist.github.com/mgedmin/7124635 or we try to reverse 
proxy through dlang.org/forum or so.

Re: https everywhere!

[Vladimir Panteleev via Digitalmars-d-announce]

On Saturday, 28 November 2015 at 04:17:19 UTC, Martin Nowak wrote:
On Tuesday, 24 November 2015 at 08:48:58 UTC, Vladimir 
Panteleev wrote:
Sorry, I'm not going to pay for my own SSL certificate :) 
You'll either have to share, or wait until Let's Encrypt goes 
live and I get around to setting it up.


You could either get a free startssl certificate 
https://gist.github.com/mgedmin/7124635 or we try to reverse 
proxy through dlang.org/forum or so.


Could I send a CSR? Would that make sense?

Re: https everywhere!

[Martin Nowak via Digitalmars-d-announce]

On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote:
I'm pleased to announce that Jan Knepper has gotten us some 
proper certificates now, and dlang.org and digitalmars.com are 
now fully https!


Glad to hear that as it's a requirement to host installer scipts 
and our gpg keyring with some trust.

https://github.com/D-Programming-Language/installer/pull/162

Guess we'll quickly fix the few non-shema relative urls.

Re: https everywhere!

[Joseph Rushton Wakeling via Digitalmars-d-announce]

On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote:
I'm pleased to announce that Jan Knepper has gotten us some 
proper certificates now, and dlang.org and digitalmars.com are 
now fully https!


Trying to access https://forum.dlang.org/ I get a "This 
Connection Is Untrusted" page from Firefox, which notes:



forum.dlang.org uses an invalid security certificate. The 
certificate is not trusted because it is self-signed. The 
certificate is only valid for * (Error code: 
sec_error_unknown_issuer)



It's a good thing that I know and love this place, because 
usually when I see that kind of error on a website, I take it as 
a sign to steer clear ;-)

Re: https everywhere!

[deadalnix via Digitalmars-d-announce]

On Tuesday, 24 November 2015 at 19:13:22 UTC, duff wrote:
On Tuesday, 24 November 2015 at 18:59:39 UTC, David Nadlinger 
wrote:
Compare this e.g. to issues.dlang.org, which achieves a solid 
A grade (although it uses a SHA-1 intermediary certificate, 
which will lead to issues soon): 
https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org=on


 — David


You're part of the bikscheder team.


He is part of the doers. You may want to consider joining that 
team, but be warned, it require actual work.

Re: https everywhere!

[Walter Bright via Digitalmars-d-announce]

On 11/24/2015 10:59 AM, David Nadlinger wrote:

There are a number of issues with how SSL is set up on the server, from
misconfiguration and/or outdated software:
https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Compare this e.g. to issues.dlang.org, which achieves a solid A grade (although
it uses a SHA-1 intermediary certificate, which will lead to issues soon):
https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org=on



Thanks, I forwarded this to Jan.

Re: https everywhere!

[Walter Bright via Digitalmars-d-announce]

On 11/24/2015 12:55 AM, Vladimir Panteleev wrote:

This change could've been done with some community communication, no? Then we
could've gone into this prepared.



Jan just turned off the automatic http: => https: redirect. That will keep the 
site working as before giving time to get everything working with https:


I ask that everything that doesn't work with https: get filed as a bugzilla 
issue. I've filed these:


https://issues.dlang.org/show_bug.cgi?id=15378

Re: https everywhere!

[David Nadlinger via Digitalmars-d-announce]

On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote:
I'm pleased to announce that Jan Knepper has gotten us some 
proper certificates now, and dlang.org and digitalmars.com are 
now fully https!


There are a number of issues with how SSL is set up on the 
server, from misconfiguration and/or outdated software: 
https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on


Compare this e.g. to issues.dlang.org, which achieves a solid A 
grade (although it uses a SHA-1 intermediary certificate, which 
will lead to issues soon): 
https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org=on


 — David

Re: https everywhere!

[duff via Digitalmars-d-announce]

On Tuesday, 24 November 2015 at 18:59:39 UTC, David Nadlinger 
wrote:
On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright 
wrote:
I'm pleased to announce that Jan Knepper has gotten us some 
proper certificates now, and dlang.org and digitalmars.com are 
now fully https!


There are a number of issues with how SSL is set up on the 
server, from misconfiguration and/or outdated software: 
https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on


Compare this e.g. to issues.dlang.org, which achieves a solid A 
grade (although it uses a SHA-1 intermediary certificate, which 
will lead to issues soon): 
https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org=on


 — David


You're part of the bikscheder team.

Re: https everywhere!

[David Nadlinger via Digitalmars-d-announce]

On Tuesday, 24 November 2015 at 19:13:22 UTC, duff wrote:

You're part of the bikscheder team.


What is this even supposed to mean?

 — David

Re: https everywhere!

[Vladimir Panteleev via Digitalmars-d-announce]

On Monday, 23 November 2015 at 21:18:58 UTC, Walter Bright wrote:

On 11/23/2015 1:11 PM, Adam D. Ruppe wrote:
On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright 
wrote:
I'm pleased to announce that Jan Knepper has gotten us some 
proper
certificates now, and dlang.org and digitalmars.com are now 
fully https!


So it isn't actually https everywhere. On a https 
page, the browsers by
default block any external asset which itself isn't https 
loaded.


The forum and TWID widgets are not https and now no longer 
load on the homepage :(


The widgets don't, but the forums worked when I tried it.


The forum widget isn't going to work until the forum is also 
HTTPS with a valid certificate.


Sorry, I'm not going to pay for my own SSL certificate :) You'll 
either have to share, or wait until Let's Encrypt goes live and I 
get around to setting it up.

Re: https everywhere!

[Vladimir Panteleev via Digitalmars-d-announce]

On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote:
I'm pleased to announce that Jan Knepper has gotten us some 
proper certificates now, and dlang.org and digitalmars.com are 
now fully https!


Forcing HTTPS has broken:

- The forum widget on the front page
- This week's "This Week in D" excerpt on the front page
- Runnable examples on the front page (more so than usual, now 
they are completely broken)


Effectively our front page is now a broken mess.

This change could've been done with some community communication, 
no? Then we could've gone into this prepared.

Re: https everywhere!

[Andrea Fontana via Digitalmars-d-announce]

On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote:
I'm pleased to announce that Jan Knepper has gotten us some 
proper certificates now, and dlang.org and digitalmars.com are 
now fully https!


Chrome warns me saying that dlang connectio is encrypted with 
obsolete cryptography

Re: https everywhere!

[Adam D. Ruppe via Digitalmars-d-announce]

On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote:
I'm pleased to announce that Jan Knepper has gotten us some 
proper certificates now, and dlang.org and digitalmars.com are 
now fully https!


So it isn't actually https everywhere. On a https page, 
the browsers by default block any external asset which itself 
isn't https loaded.


The forum and TWID widgets are not https and now no longer load 
on the homepage :(

Re: https everywhere!

[Walter Bright via Digitalmars-d-announce]

On 11/23/2015 1:11 PM, Adam D. Ruppe wrote:

On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote:

I'm pleased to announce that Jan Knepper has gotten us some proper
certificates now, and dlang.org and digitalmars.com are now fully https!


So it isn't actually https everywhere. On a https page, the browsers by
default block any external asset which itself isn't https loaded.

The forum and TWID widgets are not https and now no longer load on the homepage 
:(


The widgets don't, but the forums worked when I tried it.

Re: https everywhere!

[cym13 via Digitalmars-d-announce]

On Monday, 23 November 2015 at 21:18:58 UTC, Walter Bright wrote:

The widgets don't, but the forums worked when I tried it.


Firefox 42.0 here, neither the widgets nor the forums worked.

Re: https everywhere

[Kagamin]

On Friday, 21 February 2014 at 21:44:19 UTC, Dicebot wrote:
Any certificate is tied to domain or masked domain. Covering 
both *.digitalmars.com and *.dlang.org with same certificate is 
impossible.


Doesn't google use single certificate for all its domains 
(multiple masks)?

Re: https everywhere

[Kagamin]

On Friday, 21 February 2014 at 23:10:12 UTC, Jan Knepper wrote:

Neither have I...
I know there is www.cacert.org but as far as I know their certs 
are still not integrated in the browser SSL store.


Last I checked cacert used their root key for automated signing, 
which is sort of scary, and their roadmap to migrate to proper CA 
hierarchy was long. No wonder they got no acceptance.

Re: https everywhere

[Kagamin]

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you 
first access it you'll get a dire warning from your browser.


hyphenator is linked through http, so the page is reported as 
partially encrypted. It will probably chase us in nightmares.

Re: https everywhere

[deadalnix]

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you 
first access it you'll get a dire warning from your browser.


Captcha in the forum to avoid spam do not work when using HTTPS

Re: https everywhere

[Rikki Cattermole]

On Saturday, 22 February 2014 at 06:59:00 UTC, Nick Sabalausky 
wrote:
Perhaps so. Although FWIW, there's also a *lot* of average-joe 
users (I personally know far too many) who flat-out *refuse* to 
read any word that ever appears on their screen. These 
retards^H^H^H^H^H^H^Hpeople^H^H^H^H^H^Hworthless wastes of 
carbon view words as things to be immediately shoo'ed away in 
a frenzy of mindless clicking and How do I make this go 
away?!?!? (Me: Uhh, make what...well What does it say? The 
Retard: I dunno. I didn't read it. 
[silently:]FFFCCCK YOOOUUU).


To be perfectly honest I actually *am* genuinely surprised to 
hear of the existence of retards who actually *do* read words 
on screens. Sounds almost like a paradise of geniuses compared 
to the bullshit I've always had to put up with.


And this is where if you're doing IT support, you add a nice 
little clause which requires them to read, and tell you any 
message they get. If they don't, well there won't be any stress 
on your end ;)

Re: https everywhere

[Walter Bright]

On 2/22/2014 12:43 AM, Dmitry Olshansky wrote:

This. And since the site isn't dynamic and doesn't transmit private data the
advantage of self-signed cert is highly dubious ;)


There isn't any private data on the site, it's just getting on the https 
everywhere bandwagon.

Re: https everywhere

[Dmitry Olshansky]

22-Feb-2014 13:12, Walter Bright пишет:

On 2/22/2014 12:43 AM, Dmitry Olshansky wrote:

This. And since the site isn't dynamic and doesn't transmit private
data the
advantage of self-signed cert is highly dubious ;)


There isn't any private data on the site, it's just getting on the
https everywhere bandwagon.



Yes, and then you get nothing useful - self-signed certificate doesn't 
prove the authenticity of your website.


Hence it's both useless and potentially harmful due to browser barking 
on the self-signed crap and scaring our users away.


Either get a CA-signed cert or we are much better off with plain HTTP.

--
Dmitry Olshansky

Re: https everywhere

[Sönke Ludwig]

Am 21.02.2014 21:34, schrieb Walter Bright:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first
access it you'll get a dire warning from your browser.


When the certificate discussion is settled, it would be good to also get 
code.dlang.org set up for HTTPS, because it processes log in and 
registration requests containing passwords.

Re: https everywhere

[Adam Wilson]

On Fri, 21 Feb 2014 12:35:10 -0800, Dicebot pub...@dicebot.lv wrote:


On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first  
access it you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


It probably has to do with the fact that the NSA owns every Root Signing  
Key in the world.


--
Adam Wilson
GitHub/IRC: LightBender
Aurora Project Coordinator

Re: https everywhere

[Dicebot]

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you 
first access it you'll get a dire warning from your browser.


Why can't free startssl certificate be used?

Re: https everywhere

[Adam Wilson]

On Fri, 21 Feb 2014 12:42:10 -0800, Dicebot pub...@dicebot.lv wrote:


On Friday, 21 February 2014 at 20:39:28 UTC, Adam Wilson wrote:
It probably has to do with the fact that the NSA owns every Root  
Signing Key in the world.


And how it is relevant? Not like we are speaking about security here -  
nothing sensitive is transferred from dlang.org; using self-signed  
certificates for public pages is just weird.


I agree, it's not exactly welcoming due to how browsers handle them.

--
Adam Wilson
GitHub/IRC: LightBender
Aurora Project Coordinator

Re: https everywhere

[Dicebot]

On Friday, 21 February 2014 at 20:40:24 UTC, Walter Bright wrote:

Why can't free startssl certificate be used?


I never heard of it.


https://www.startssl.com/?app=1

Re: https everywhere

[Dicebot]

On Friday, 21 February 2014 at 20:39:28 UTC, Adam Wilson wrote:
It probably has to do with the fact that the NSA owns every 
Root Signing Key in the world.


And how it is relevant? Not like we are speaking about security 
here - nothing sensitive is transferred from dlang.org; using 
self-signed certificates for public pages is just weird.

Re: https everywhere

[Walter Bright]

On 2/21/2014 12:35 PM, Dicebot wrote:

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first access it
you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


I never heard of it.

Re: https everywhere

[Dmitry Olshansky]

22-Feb-2014 00:34, Walter Bright пишет:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org


Good idea.


Note that this is a self-signed certificate, and so when you first
access it you'll get a dire warning from your browser.


That gets horribly wrong. With this kind of stuff we'd just scare away 
new users. Surely a CA signed SSL cert doesn't cost that much to ignore it.


--
Dmitry Olshansky

Re: https everywhere

[Adam Wilson]

On Fri, 21 Feb 2014 12:40:29 -0800, Walter Bright  
newshou...@digitalmars.com wrote:



On 2/21/2014 12:35 PM, Dicebot wrote:

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first  
access it

you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


I never heard of it.


I don't think they allow it for anything other than personal use though.

--
Adam Wilson
GitHub/IRC: LightBender
Aurora Project Coordinator

Re: https everywhere

[deadalnix]

On Friday, 21 February 2014 at 20:35:12 UTC, Dicebot wrote:
On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright 
wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you 
first access it you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


The whole certification principle is about how much you trust who 
sign the certificate. I trust digital mas much more than startssl.

Re: https everywhere

[Brad Anderson]

On Friday, 21 February 2014 at 20:46:05 UTC, Adam Wilson wrote:
On Fri, 21 Feb 2014 12:40:29 -0800, Walter Bright 
newshou...@digitalmars.com wrote:

Why can't free startssl certificate be used?


I never heard of it.


I don't think they allow it for anything other than personal 
use though.


Nope, they can be used for any purpose. All they do is verify you 
own the domain in question (not do the more rigorous confirmation 
of actual identity).


For $59.90 Walter could get a class 2 organization verification 
for Digital Mars and do code signing so we can get rid of that 
scary message when people run the installer. We use StartSSL for 
our code signing and website SSL and are happy with it.

Re: https everywhere

[Steven Schveighoffer]

On Fri, 21 Feb 2014 15:55:02 -0500, deadalnix deadal...@gmail.com wrote:


On Friday, 21 February 2014 at 20:35:12 UTC, Dicebot wrote:

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first  
access it you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


The whole certification principle is about how much you trust who sign  
the certificate. I trust digital mas much more than startssl.


The problem is not who deadalnix trusts, it's who the browser trusts.

I agree with others here, it should not be self-signed. It should be  
either unencrypted, or a trusted CA certificate.


-Steve

Re: https everywhere

[Dicebot]

On Friday, 21 February 2014 at 20:55:04 UTC, deadalnix wrote:

On Friday, 21 February 2014 at 20:35:12 UTC, Dicebot wrote:
On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright 
wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you 
first access it you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


The whole certification principle is about how much you trust 
who sign the certificate. I trust digital mas much more than 
startssl.


Wrong. Don't confuse PGP with SSL, latter has nothing to do with 
trust in its current form.

Re: https everywhere

[Walter Bright]

On 2/21/2014 12:57 PM, Brad Anderson wrote:

For $59.90 Walter could get a class 2 organization verification for Digital Mars
and do code signing so we can get rid of that scary message when people run the
installer. We use StartSSL for our code signing and website SSL and are happy
with it.


Would that work for all the websites? I.e. digitalmars.com, dlang.org, etc., or 
would it be a separate charge for each?

Re: https everywhere

[Brad Anderson]

On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:

On 2/21/2014 12:57 PM, Brad Anderson wrote:
For $59.90 Walter could get a class 2 organization 
verification for Digital Mars
and do code signing so we can get rid of that scary message 
when people run the
installer. We use StartSSL for our code signing and website 
SSL and are happy

with it.


Would that work for all the websites? I.e. digitalmars.com, 
dlang.org, etc., or would it be a separate charge for each?


The one cost and you could cover everything. StartSSL is novel in 
that all they do is verify your identity then let you generate as 
many certificates as you want. Most other CAs charge on a per 
certificate basis. I'm pretty happy with StartSSL apart from 
their terrible website.

Re: https everywhere

[Brad Roberts]

On 2/21/14, 12:34 PM, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first
access it you'll get a dire warning from your browser.


At this point I'm just repeating what others have already said, but 
self-signed is seriously unprofessional.  It's worse than not having 
https from a reputation standpoint.

Re: https everywhere

[Dicebot]

On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:
Would that work for all the websites? I.e. digitalmars.com, 
dlang.org, etc., or would it be a separate charge for each?


Any certificate is tied to domain or masked domain. Covering both 
*.digitalmars.com and *.dlang.org with same certificate is 
impossible.

Re: https everywhere

[Nick Sabalausky]

On 2/21/2014 4:39 PM, Brad Anderson wrote:

On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:


Would that work for all the websites? I.e. digitalmars.com, dlang.org,
etc., or would it be a separate charge for each?


The one cost and you could cover everything. StartSSL is novel in that
all they do is verify your identity then let you generate as many
certificates as you want. Most other CAs charge on a per certificate
basis. I'm pretty happy with StartSSL apart from their terrible website.


This is true (I do it on my server, hosting a couple domains ATM).

However, unless they've changed it since I last looked, you can't do 
subdomains (other than www.*) with their free cert.

Re: https everywhere

[Nick Sabalausky]

On 2/21/2014 3:57 PM, Brad Anderson wrote:


For $59.90 Walter could get a class 2 organization verification for
Digital Mars and do code signing so we can get rid of that scary message
when people run the installer. We use StartSSL for our code signing and
website SSL and are happy with it.


I think it's pretty much standard practice in the Windows world to 
ignore that warning. I've seen very little software that does bother 
with that code signing.

Re: https everywhere

[Nick Sabalausky]

On 2/21/2014 3:55 PM, deadalnix wrote:

On Friday, 21 February 2014 at 20:35:12 UTC, Dicebot wrote:

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first
access it you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


The whole certification principle is about how much you trust who sign
the certificate. I trust digital mas much more than startssl.


Self-signed certs *can't* be trusted to be from the party they claim to 
be from. Anyone can generate a self-signed cert claiming to be Digital Mars.

Re: https everywhere

[Brad Anderson]

On Friday, 21 February 2014 at 21:50:21 UTC, Nick Sabalausky 
wrote:

On 2/21/2014 3:57 PM, Brad Anderson wrote:


For $59.90 Walter could get a class 2 organization 
verification for
Digital Mars and do code signing so we can get rid of that 
scary message
when people run the installer. We use StartSSL for our code 
signing and

website SSL and are happy with it.


I think it's pretty much standard practice in the Windows world 
to ignore that warning. I've seen very little software that 
does bother with that code signing.


I think it's ignored by users like you and I but at my work we'd 
get worried calls from our customers thinking our installer was 
unsafe so we ended up adding code signing.

Re: https everywhere

[Brad Anderson]

On Friday, 21 February 2014 at 21:44:19 UTC, Dicebot wrote:
On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright 
wrote:
Would that work for all the websites? I.e. digitalmars.com, 
dlang.org, etc., or would it be a separate charge for each?


Any certificate is tied to domain or masked domain. Covering 
both *.digitalmars.com and *.dlang.org with same certificate is 
impossible.


This doesn't apply because StartSSL lets you create as many 
certificates as you want.

Re: https everywhere

[Dicebot]

On Friday, 21 February 2014 at 22:52:46 UTC, Brad Anderson wrote:

On Friday, 21 February 2014 at 21:44:19 UTC, Dicebot wrote:
On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright 
wrote:
Would that work for all the websites? I.e. digitalmars.com, 
dlang.org, etc., or would it be a separate charge for each?


Any certificate is tied to domain or masked domain. Covering 
both *.digitalmars.com and *.dlang.org with same certificate 
is impossible.


This doesn't apply because StartSSL lets you create as many 
certificates as you want.


Yes, of course, but it won't be the same certificate. Walters 
question was about paid verified certificates.

Re: https everywhere

[Jan Knepper]

On 2/21/14, 3:43 PM, Adam Wilson wrote:

On Fri, 21 Feb 2014 12:42:10 -0800, Dicebot pub...@dicebot.lv wrote:


On Friday, 21 February 2014 at 20:39:28 UTC, Adam Wilson wrote:

It probably has to do with the fact that the NSA owns every Root
Signing Key in the world.


And how it is relevant? Not like we are speaking about security here -
nothing sensitive is transferred from dlang.org; using self-signed
certificates for public pages is just weird.


I agree, it's not exactly welcoming due to how browsers handle them.



Read what the browser says. Look at the information the browser displays 
the certificate. What then is the problem???

Re: https everywhere

[Jan Knepper]

On 2/21/14, 3:35 PM, Dicebot wrote:

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first
access it you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


We could use a Free StartSSL certificate if that gives any benefit over 
a self-signed certificate.

Re: https everywhere

[Jan Knepper]

On 2/21/14, 3:55 PM, deadalnix wrote:

On Friday, 21 February 2014 at 20:35:12 UTC, Dicebot wrote:

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first
access it you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


The whole certification principle is about how much you trust who sign
the certificate. I trust digital mas much more than startssl.


:-)

Re: https everywhere

[Brad Anderson]

On Friday, 21 February 2014 at 22:59:39 UTC, Dicebot wrote:
On Friday, 21 February 2014 at 22:52:46 UTC, Brad Anderson 
wrote:

On Friday, 21 February 2014 at 21:44:19 UTC, Dicebot wrote:
On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright 
wrote:
Would that work for all the websites? I.e. digitalmars.com, 
dlang.org, etc., or would it be a separate charge for each?


Any certificate is tied to domain or masked domain. Covering 
both *.digitalmars.com and *.dlang.org with same certificate 
is impossible.


This doesn't apply because StartSSL lets you create as many 
certificates as you want.


Yes, of course, but it won't be the same certificate. Walters 
question was about paid verified certificates.


Walter's question is about whether the paid StartSSL verification 
I mentioned would let him cover all of those things for a single 
price (which it would). Not about whether a single certificate 
could be made to cover all of those things.

Re: https everywhere

[Jan Knepper]

On 2/21/14, 3:40 PM, Walter Bright wrote:

On 2/21/2014 12:35 PM, Dicebot wrote:

On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you first
access it
you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


I never heard of it.


Neither have I...
I know there is www.cacert.org but as far as I know their certs are 
still not integrated in the browser SSL store.

Re: https everywhere

[Dicebot]

On Friday, 21 February 2014 at 23:12:32 UTC, Brad Anderson wrote:
Walter's question is about whether the paid StartSSL 
verification I mentioned would let him cover all of those 
things for a single price (which it would). Not about whether a 
single certificate could be made to cover all of those things.


Then please disregard my obviously wrong answer :)

Re: https everywhere

[Ryan Chouinard]

On Friday, 21 February 2014 at 23:10:12 UTC, Jan Knepper wrote:

On 2/21/14, 3:40 PM, Walter Bright wrote:

On 2/21/2014 12:35 PM, Dicebot wrote:
On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright 
wrote:

dlang.org and dconf.org now support https,

https://dlang.org
https://dconf.org

Note that this is a self-signed certificate, and so when you 
first

access it
you'll get a dire warning from your browser.


Why can't free startssl certificate be used?


I never heard of it.


Neither have I...
I know there is www.cacert.org but as far as I know their certs 
are still not integrated in the browser SSL store.


Just going to throw this out there, but GlobalSign offers free
wildcard certificates to open source projects. GlobalSign's root
is in the standard CA stores. Might be worth checking out.
https://www.globalsign.com/ssl/ssl-open-source/

Disclaimer: I am a GlobalSign reseller, but I have nothing to
gain from their free certificate offers.

Re: https everywhere

[Leandro Lucarella]

Brad Anderson, el 21 de February a las 21:39 me escribiste:
 On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:
 On 2/21/2014 12:57 PM, Brad Anderson wrote:
 For $59.90 Walter could get a class 2 organization verification
 for Digital Mars
 and do code signing so we can get rid of that scary message when
 people run the
 installer. We use StartSSL for our code signing and website SSL
 and are happy
 with it.
 
 Would that work for all the websites? I.e. digitalmars.com,
 dlang.org, etc., or would it be a separate charge for each?
 
 The one cost and you could cover everything. StartSSL is novel in
 that all they do is verify your identity then let you generate as
 many certificates as you want. Most other CAs charge on a per
 certificate basis. I'm pretty happy with StartSSL apart from their
 terrible website.

I use the free certificates and it works very nicely!

-- 
Leandro Lucarella (AKA luca) http://llucax.com.ar/
--
No existe nada más intenso que un reloj, ni nada más flaco que una
bicicleta. No intenso como el café, ni flaco como escopeta.
-- Ricardo Vaporeso

Re: https everywhere

[Leandro Lucarella]

Nick Sabalausky, el 21 de February a las 16:47 me escribiste:
 On 2/21/2014 4:39 PM, Brad Anderson wrote:
 On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:
 
 Would that work for all the websites? I.e. digitalmars.com, dlang.org,
 etc., or would it be a separate charge for each?
 
 The one cost and you could cover everything. StartSSL is novel in that
 all they do is verify your identity then let you generate as many
 certificates as you want. Most other CAs charge on a per certificate
 basis. I'm pretty happy with StartSSL apart from their terrible website.
 
 This is true (I do it on my server, hosting a couple domains ATM).
 
 However, unless they've changed it since I last looked, you can't do
 subdomains (other than www.*) with their free cert.

No, you can use any subdomain, you can't use wildcards, but you can get
as many subdomains as you want. To use several subdomains in one server,
your server must support SNI[1], but any modern webserver should support
it.

[1] https://en.wikipedia.org/wiki/Server_Name_Indication

-- 
Leandro Lucarella (AKA luca) http://llucax.com.ar/
--
De las generaciones venideras espero, nada más, que vengan.
-- Ricardo Vaporeso

Re: https everywhere

[Nick Sabalausky]

On 2/22/2014 12:09 AM, Leandro Lucarella wrote:

Nick Sabalausky, el 21 de February a las 16:47 me escribiste:

On 2/21/2014 4:39 PM, Brad Anderson wrote:

On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:


Would that work for all the websites? I.e. digitalmars.com, dlang.org,
etc., or would it be a separate charge for each?


The one cost and you could cover everything. StartSSL is novel in that
all they do is verify your identity then let you generate as many
certificates as you want. Most other CAs charge on a per certificate
basis. I'm pretty happy with StartSSL apart from their terrible website.


This is true (I do it on my server, hosting a couple domains ATM).

However, unless they've changed it since I last looked, you can't do
subdomains (other than www.*) with their free cert.


No, you can use any subdomain, you can't use wildcards, but you can get
as many subdomains as you want. To use several subdomains in one server,
your server must support SNI[1], but any modern webserver should support
it.

[1] https://en.wikipedia.org/wiki/Server_Name_Indication



I've tried to get a subdomain cert from them, but their system 
complained that I already had a cert from them for the same domain.

Re: https everywhere

[Nick Sabalausky]

On 2/21/2014 5:50 PM, Brad Anderson wrote:

On Friday, 21 February 2014 at 21:50:21 UTC, Nick Sabalausky wrote:

On 2/21/2014 3:57 PM, Brad Anderson wrote:


For $59.90 Walter could get a class 2 organization verification for
Digital Mars and do code signing so we can get rid of that scary message
when people run the installer. We use StartSSL for our code signing and
website SSL and are happy with it.


I think it's pretty much standard practice in the Windows world to
ignore that warning. I've seen very little software that does bother
with that code signing.


I think it's ignored by users like you and I but at my work we'd get
worried calls from our customers thinking our installer was unsafe so we
ended up adding code signing.


Perhaps so. Although FWIW, there's also a *lot* of average-joe users (I 
personally know far too many) who flat-out *refuse* to read any word 
that ever appears on their screen. These 
retards^H^H^H^H^H^H^Hpeople^H^H^H^H^H^Hworthless wastes of carbon view 
words as things to be immediately shoo'ed away in a frenzy of mindless 
clicking and How do I make this go away?!?!? (Me: Uhh, make 
what...well What does it say? The Retard: I dunno. I didn't read it. 
[silently:]FFFCCCK YOOOUUU).


To be perfectly honest I actually *am* genuinely surprised to hear of 
the existence of retards who actually *do* read words on screens. Sounds 
almost like a paradise of geniuses compared to the bullshit I've always 
had to put up with.