Re: https everywhere update - dlang.org gets an "A" now!

[Basile B. via Digitalmars-d-announce]

On Friday, 11 December 2015 at 21:22:06 UTC, Basile B. wrote:
On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


https://www.youtube.com/watch?v=OqkYr5uIreg=youtu.be=49s


we're safe...

Re: https everywhere update - dlang.org gets an "A" now!

[Basile B. via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


https://www.youtube.com/watch?v=OqkYr5uIreg=youtu.be=49s

Re: https everywhere update - dlang.org gets an "A" now!

[Basile B. via Digitalmars-d-announce]

On Friday, 11 December 2015 at 21:24:07 UTC, Basile B. wrote:

On Friday, 11 December 2015 at 21:22:06 UTC, Basile B. wrote:
On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


https://www.youtube.com/watch?v=OqkYr5uIreg=youtu.be=49s


we're safe...


I hope you get the irony...

Re: https everywhere update - dlang.org gets an "A" now!

[Sönke Ludwig via Digitalmars-d-announce]

Now also certified (Let's Encrypt made this really straight forward):

https://code.dlang.org/
https://forum.rejectedsoftware.com/
https://vibed.org/

All pass with an A for the ssllabs.com test. I'll also setup default 
HTTP->HTTPS redirects.

Re: https everywhere update - dlang.org gets an "A" now!

[Kapps via Digitalmars-d-announce]

On Monday, 7 December 2015 at 14:38:39 UTC, Steven Schveighoffer 
wrote:

On 12/6/15 11:32 AM, Marc Schütz wrote:
On Sunday, 6 December 2015 at 14:17:18 UTC, Steven 
Schveighoffer wrote:
On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce 
wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is 
from*dlang.org

*
*
*
You will need a wild-card certificate (cheaper) or a 
certificate that
allows multiple domain names (more expensive, and probably 
not required)

for the cert to work.



Or redirect www.dlang.org to dlang.org


That won't help if someone already starts at 
https://www.dlang.org/ .


I'm surprised it wouldn't. I wouldn't think a redirect would 
need to be encrypted.


-Steve


It does. Otherwise you could bypass HTTPS entirely by replacing 
the redirect page with a non-encrypted copy of the dlang website 
with whatever modifications you like.

Re: https everywhere update - dlang.org gets an "A" now!

[Steven Schveighoffer via Digitalmars-d-announce]

On 12/6/15 11:32 AM, Marc Schütz wrote:

On Sunday, 6 December 2015 at 14:17:18 UTC, Steven Schveighoffer wrote:

On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is from*dlang.org
*
*
*
You will need a wild-card certificate (cheaper) or a certificate that
allows multiple domain names (more expensive, and probably not required)
for the cert to work.



Or redirect www.dlang.org to dlang.org


That won't help if someone already starts at https://www.dlang.org/ .


I'm surprised it wouldn't. I wouldn't think a redirect would need to be 
encrypted.


-Steve

Re: https everywhere update - dlang.org gets an "A" now!

[Chris Wright via Digitalmars-d-announce]

On Mon, 07 Dec 2015 14:48:52 +, Kapps wrote:
> On Monday, 7 December 2015 at 14:38:39 UTC, Steven Schveighoffer wrote:
>> I'm surprised it wouldn't. I wouldn't think a redirect would need to be
>> encrypted.
>>
>> -Steve
> 
> It does. Otherwise you could bypass HTTPS entirely by replacing the
> redirect page with a non-encrypted copy of the dlang website with
> whatever modifications you like.

Well, only if you're trying to protect against MITM attacks. If you're 
only worried about people packet sniffing, you can redirect from an 
unencrypted page without a care.

In a situation like this, where approximately no sensitive information is 
going back and forth, MITM isn't much of a concern (and packet sniffing 
isn't, either, for the most part, except if you're logging in with a 
password you reuse elsewhere).

Re: https everywhere update - dlang.org gets an "A" now!

[Steven Schveighoffer via Digitalmars-d-announce]

On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is from*dlang.org
*
*
*
You will need a wild-card certificate (cheaper) or a certificate that
allows multiple domain names (more expensive, and probably not required)
for the cert to work.



Or redirect www.dlang.org to dlang.org

-Steve

Re: https everywhere update - dlang.org gets an "A" now!

[Marc Schütz via Digitalmars-d-announce]

On Sunday, 6 December 2015 at 14:17:18 UTC, Steven Schveighoffer 
wrote:

On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is 
from*dlang.org

*
*
*
You will need a wild-card certificate (cheaper) or a 
certificate that
allows multiple domain names (more expensive, and probably not 
required)

for the cert to work.



Or redirect www.dlang.org to dlang.org

-Steve


That won't help if someone already starts at 
https://www.dlang.org/ .

Re: https everywhere update - dlang.org gets an "A" now!

[Adil Baig via Digitalmars-d-announce]

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
*; its security certificate is from*dlang.org
*

You will need a wild-card certificate (cheaper) or a certificate that
allows multiple domain names (more expensive, and probably not required)
for the cert to work.

Adil

On Sun, Dec 6, 2015 at 10:42 AM, mattcoder via Digitalmars-d-announce <
digitalmars-d-announce@puremagic.com> wrote:

> On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote:
>
>> Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.
>>
>
> This is what I get when I try: https://www.dlang.org/
>
> "Your connection is not private
>
> Attackers might be trying to steal your information from www.dlang.org
> (for example, passwords, messages, or credit cards).
> NET::ERR_CERT_COMMON_NAME_INVALID"
>
> Matheus.
>

Re: https everywhere update - dlang.org gets an "A" now!

[lobo via Digitalmars-d-announce]

On Sunday, 6 December 2015 at 05:12:29 UTC, mattcoder wrote:
On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


This is what I get when I try: https://www.dlang.org/

"Your connection is not private

Attackers might be trying to steal your information from 
www.dlang.org (for example, passwords, messages, or credit 
cards). NET::ERR_CERT_COMMON_NAME_INVALID"


Matheus.


This is what I get on firefox;

This Connection is Untrusted

You have asked Firefox to connect securely to www.dlang.org, but 
we can't confirm that your connection is secure.


[snip]...

Technical Details

www.dlang.org uses an invalid security certificate. The 
certificate is only valid for dlang.org (Error code: 
ssl_error_bad_cert_domain)


bye,
lobo

Re: https everywhere update - dlang.org gets an "A" now!

[Kapps via Digitalmars-d-announce]

On Sunday, 6 December 2015 at 08:29:07 UTC, Adil Baig wrote:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org 
*; its security certificate is 
from*dlang.org *


You will need a wild-card certificate (cheaper) or a 
certificate that
allows multiple domain names (more expensive, and probably not 
required)

for the cert to work.

Adil


StartSSL allows for one subdomain on their free plan (which is 
generally the www subdomain). Letsencrypt allows for I think 5 
atm as well.

Re: https everywhere update - dlang.org gets an "A" now!

[mattcoder via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


This is what I get when I try: https://www.dlang.org/

"Your connection is not private

Attackers might be trying to steal your information from 
www.dlang.org (for example, passwords, messages, or credit 
cards). NET::ERR_CERT_COMMON_NAME_INVALID"


Matheus.

Re: https everywhere update - dlang.org gets an "A" now!

[deadalnix via Digitalmars-d-announce]

Forum widgets are broken on the home page.

Re: https everywhere update - dlang.org gets an "A" now!

[Saurabh Das via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

On 11/24/2015 10:59 AM, David Nadlinger wrote:
> On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright
wrote:
>> [...]
proper
>> [...]
fully https!
>
> There are a number of issues with how SSL is set up on the
server, from
> misconfiguration and/or outdated software:
> 
https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

>
> Compare this e.g. to issues.dlang.org, which achieves a solid
A grade (although
> it uses a SHA-1 intermediary certificate, which will lead to
issues soon):
> 
https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org=on

>
>   — David

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


This is great.

Can the certificate also be used for forum.dlang.org? I get a 
warning when I visit https://forum.dlang.org

Re: https everywhere update - dlang.org gets an "A" now!

[Jacob Carlborg via Digitalmars-d-announce]

On 2015-12-04 02:38, Brad Anderson wrote:


It's unfortunate it didn't come a bit sooner because now the NSA
knows I read the entire DUB JSON thread, much to my shame.


You can expect a bill for "Wasting Time" in the mail anytime soon now :)

--
/Jacob Carlborg

Re: https everywhere update - dlang.org gets an "A" now!

[Brad Anderson via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


Nice work by Jan. I know how big of a hassle things like this can 
be so taking the time to actually do it is much appreciated.


On a related note, Let's Encrypt hit public beta today[1]. With 
that I think we should be able to get all of the official 
infrastructure on TLS now. It's unfortunate it didn't come a bit 
sooner because now the NSA knows I read the entire DUB JSON 
thread, much to my shame.


1. https://letsencrypt.org/2015/12/03/entering-public-beta.html

Re: https everywhere update - dlang.org gets an "A" now!

[David Nadlinger via Digitalmars-d-announce]

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


Thanks!

Also displays as https in Chrome now.

 — David

Re: https everywhere update - dlang.org gets an "A" now!

[Brad Roberts via Digitalmars-d-announce]

On 12/3/15 5:38 PM, Brad Anderson via Digitalmars-d-announce wrote:

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote:

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.


Nice work by Jan. I know how big of a hassle things like this can be so taking 
the time to actually
do it is much appreciated.

On a related note, Let's Encrypt hit public beta today[1]. With that I think we 
should be able to
get all of the official infrastructure on TLS now. It's unfortunate it didn't 
come a bit sooner
because now the NSA knows I read the entire DUB JSON thread, much to my shame.

1. https://letsencrypt.org/2015/12/03/entering-public-beta.html


I'm glad that letsencrypt is out there doing the publicity, but getting and using ssl certs has been 
free via startssl for several years now.  What this new group is doing is the PR and marketing to 
get people to do it, of course under their own umbrella rather than another company's.


- Brad

Re: https everywhere update - dlang.org gets an "A" now!

[David Nadlinger via Digitalmars-d-announce]

On Friday, 4 December 2015 at 02:29:52 UTC, Brad Roberts wrote:
I'm glad that letsencrypt is out there doing the publicity, but 
getting and using ssl certs has been free via startssl for 
several years now.  What this new group is doing is the PR and 
marketing to get people to do it, of course under their own 
umbrella rather than another company's.


The free StartSSL thing was also nigh-unusable – when I gave it a 
try, their in-browser CSR gen thing broke on whatever recent 
version of Firefox I was using, which left me with no cert, but 
them claiming I had exhausted their offer. They also have this 
weird thing where they offer "one host name plus domain" only, 
and charge users for revoking their cert (!).


 — David

https everywhere update - dlang.org gets an "A" now!

[Walter Bright via Digitalmars-d-announce]

On 11/24/2015 10:59 AM, David Nadlinger wrote:
> On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote:
>> I'm pleased to announce that Jan Knepper has gotten us some proper
>> certificates now, and dlang.org and digitalmars.com are now fully https!
>
> There are a number of issues with how SSL is set up on the server, from
> misconfiguration and/or outdated software:
> https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on
>
> Compare this e.g. to issues.dlang.org, which achieves a solid A grade 
(although
> it uses a SHA-1 intermediary certificate, which will lead to issues soon):
> https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org=on
>
>   — David

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.