Mailing List Archive: Wikipedia: Wikitech

SSL certificates for Wikimedia sites

Index | Next | Previous | View Threaded

tim at tim-landscheidt

Jul 13, 2009, 6:17 AM

Post #1 of 19 (1661 views)
Permalink

SSL certificates for Wikimedia sites

Hi,

with regard to the recent discussion on SSL, it would be
really nice to have the certificates issued by CAcert (whose
root certificate will not be included in many browsers for
some time) published on a trustworthy server (a footer on
<URI:https://www.wikimedia.org/> perhaps?). I'm primarily
thinking about the certificates for:

- wikitech.leuksman.com
- www.wikimedia.de

(Feel free to append if you encounter others.)

TIA,
Tim

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

tim at tim-landscheidt

Jul 13, 2009, 6:20 AM

Post #2 of 19 (1610 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

I wrote:

> with regard to the recent discussion on SSL, it would be
> really nice to have the certificates issued by CAcert (whose
> root certificate will not be included in many browsers for
> some time) published on a trustworthy server (a footer on
> <URI:https://www.wikimedia.org/> perhaps?). [...]
^^^^^^^^^^^^^^^^^^^^^^^^^^
That should obviously have been
<URI:https://secure.wikimedia.org/>.

Tim

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

brion at wikimedia

Jul 13, 2009, 7:38 AM

Post #3 of 19 (1611 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Tim Landscheidt wrote:
> with regard to the recent discussion on SSL, it would be
> really nice to have the certificates issued by CAcert (whose
> root certificate will not be included in many browsers for
> some time) published on a trustworthy server (a footer on
> <URI:https://www.wikimedia.org/> perhaps?).

We don't actively use CAcert anymore since we can afford certs which
don't toss confusing messages at visitors. :)

> I'm primarily thinking about the certificates for:
>
> - wikitech.leuksman.com

This is an old link from when we stuck our tech doc wiki on my personal
site for a while; you'll see there's a nicer cert at the permanent URL:
https://wikitech.wikimedia.org/

> - www.wikimedia.de

Wikimedia DE folks run this... Who can poke it?

-- brion

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

daniel at brightbyte

Jul 13, 2009, 7:44 AM

Post #4 of 19 (1614 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Brion Vibber schrieb:
>> - www.wikimedia.de
>
> Wikimedia DE folks run this... Who can poke it?

I can. We have a cert for https://secure.wikimedia.de/ which we use for
donations and stuff. what do we need one for www.wikimedia.de for?

-- daniel

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

tim at tim-landscheidt

Aug 12, 2009, 3:49 PM

Post #5 of 19 (1455 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Brion Vibber <brion [at] wikimedia> wrote:

> [...]
>> I'm primarily thinking about the certificates for:

>> - wikitech.leuksman.com

> This is an old link from when we stuck our tech doc wiki on my personal
> site for a while; you'll see there's a nicer cert at the permanent URL:
> https://wikitech.wikimedia.org/
> [...]

Hmmm, the latter now shows a self-signed certificate again?

Tim

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

tim at tim-landscheidt

Aug 12, 2009, 3:51 PM

Post #6 of 19 (1460 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Daniel Kinzler <daniel [at] brightbyte> wrote:

>>> - www.wikimedia.de

>> Wikimedia DE folks run this... Who can poke it?

> I can. We have a cert for https://secure.wikimedia.de/ which we use for
> donations and stuff. what do we need one for www.wikimedia.de for?

Well, www.wikimedia.de answers on port 443, so a valid cer-
tificate would be kind of nice :-).

Tim

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

brion at wikimedia

Aug 12, 2009, 4:12 PM

Post #7 of 19 (1465 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

On 8/12/09 3:49 PM, Tim Landscheidt wrote:
> Brion Vibber<brion [at] wikimedia> wrote:
>
>> [...]
>>> I'm primarily thinking about the certificates for:
>
>>> - wikitech.leuksman.com
>
>> This is an old link from when we stuck our tech doc wiki on my personal
>> site for a while; you'll see there's a nicer cert at the permanent URL:
>> https://wikitech.wikimedia.org/
>> [...]
>
> Hmmm, the latter now shows a self-signed certificate again?

Yeah, but it's got the right URL at least! ;)

-- brion

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

george.herbert at gmail

Aug 12, 2009, 4:15 PM

Post #8 of 19 (1463 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Unsecure Sockets Layer?

(I'll shut up now 8-)

On Wed, Aug 12, 2009 at 4:12 PM, Brion Vibber<brion [at] wikimedia> wrote:
> On 8/12/09 3:49 PM, Tim Landscheidt wrote:
>> Brion Vibber<brion [at] wikimedia> �wrote:
>>
>>> [...]
>>>> I'm primarily thinking about the certificates for:
>>
>>>> - wikitech.leuksman.com
>>
>>> This is an old link from when we stuck our tech doc wiki on my personal
>>> site for a while; you'll see there's a nicer cert at the permanent URL:
>>> https://wikitech.wikimedia.org/
>>> [...]
>>
>> Hmmm, the latter now shows a self-signed certificate again?
>
> Yeah, but it's got the right URL at least! ;)
>
> -- brion
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>

--
-george william herbert
george.herbert [at] gmail

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

midom.lists at gmail

Aug 13, 2009, 12:46 AM

Post #9 of 19 (1441 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Hi!
>>
>> https://wikitech.wikimedia.org/
> Hmmm, the latter now shows a self-signed certificate again?

how is that an issue?

Domas

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

tim at tim-landscheidt

Aug 13, 2009, 6:29 AM

Post #10 of 19 (1444 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Domas Mituzas <midom.lists [at] gmail> wrote:

>>> https://wikitech.wikimedia.org/
>> Hmmm, the latter now shows a self-signed certificate again?

> how is that an issue?

Most browsers (and RSS readers and ...) will bark at it as
"(potentially) unsafe". Therefore, IMHO Wikimedia should
either use established CA's certificates or publish informa-
tion on the "private" (or CAcert) certificates on a trust-
worthy server, in paper publications, etc. where it can be
used to verify the certificates.

Tim

P. S.: Yes, it *is* highly unlikely that
wikitech.wikimedia.org's A record gets hijacked and a
MITM attack is staged as little could be gained.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

midom.lists at gmail

Aug 13, 2009, 7:41 AM

Post #11 of 19 (1441 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Hi!

> Most browsers (and RSS readers and ...) will bark at it as
> "(potentially) unsafe". Therefore, IMHO Wikimedia should
> either use established CA's certificates or publish informa-
> tion on the "private" (or CAcert) certificates on a trust-
> worthy server, in paper publications, etc. where it can be
> used to verify the certificates.

I know what happens when self-signed certificate is used.
Why the heck is that an issue with wikitech.wikimedia.org wiki?

> P. S.: Yes, it *is* highly unlikely that
> wikitech.wikimedia.org's A record gets hijacked and a
> MITM attack is staged as little could be gained.

And then what?
I for one use HTTP to access that wiki, feel free to hijack my
account, and, um, vandalize. You won't need to do MITM for that,
actually, will save you some effort.

I thought there're more important issues out there ;-)

Domas

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

tim at tim-landscheidt

Aug 15, 2009, 12:37 PM

Post #12 of 19 (1401 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Domas Mituzas <midom.lists [at] gmail> wrote:

>> Most browsers (and RSS readers and ...) will bark at it as
>> "(potentially) unsafe". Therefore, IMHO Wikimedia should
>> either use established CA's certificates or publish informa-
>> tion on the "private" (or CAcert) certificates on a trust-
>> worthy server, in paper publications, etc. where it can be
>> used to verify the certificates.

> I know what happens when self-signed certificate is used.
> Why the heck is that an issue with wikitech.wikimedia.org wiki?

Because when you access
<URI:https://wikitech.wikimedia.org/>, it will bark :-).
Would not all references to wikitech.leuksman.com have been
advertizing the HTTPS access (and the Google ratio is still
about 55900:209 :-)), I would not care. But IMVHO *if* HTTPS
requests are served, that should be done "properly".

>> P. S.: Yes, it *is* highly unlikely that
>> wikitech.wikimedia.org's A record gets hijacked and a
>> MITM attack is staged as little could be gained.

> And then what?
> I for one use HTTP to access that wiki, feel free to hijack my
> account, and, um, vandalize. You won't need to do MITM for that,
> actually, will save you some effort.

> I thought there're more important issues out there ;-)

I can assure you you are *very* right on that thought :-).

Tim

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

gmane at kennel17

Aug 24, 2009, 5:50 AM

Post #13 of 19 (1243 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

"Tim Landscheidt" <tim [at] tim-landscheidt> wrote in message
news:m3skfsna0i.fsf [at] passepartout
> Domas Mituzas <midom.lists [at] gmail> wrote:
>> I know what happens when self-signed certificate is used.
>> Why the heck is that an issue with wikitech.wikimedia.org wiki?
>
> Because when you access
> <URI:https://wikitech.wikimedia.org/>, it will bark :-).
> Would not all references to wikitech.leuksman.com have been
> advertizing the HTTPS access (and the Google ratio is still
> about 55900:209 :-)), I would not care. But IMVHO *if* HTTPS
> requests are served, that should be done "properly".

Firefox, for example, gives a very scary notice if you visit that address.
I for one would not trust anything for which such a scary notice was
generated, even if I trust the owners of the site (as I do here). The
message indicates that the site may have been compromised, and that is too
much of a risk to take these days.

IE gives a less scary message, but it still very firmly informs you: "close
this webpage and do not continue to this website". Again, not a message I
would ignore.

Seriously, unless you are intentionally trying to scare people away from the
site, then this should be fixed.

- Mark Clements (HappyDog)

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Simetrical+wikilist at gmail

Aug 24, 2009, 11:04 AM

Post #14 of 19 (1236 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

On Mon, Aug 24, 2009 at 8:50 AM, Mark Clements
(HappyDog)<gmane [at] kennel17> wrote:
> Seriously, unless you are intentionally trying to scare people away from the
> site, then this should be fixed.

wikitech is mainly intended for Wikimedia tech staff, not the general
public, so I assume that they don't care very much if the general
public is scared away. Anyone who can use the site usefully
presumably knows enough about HTTPS to understand that they can safely
ignore the warning.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

brion at wikimedia

Aug 24, 2009, 11:24 AM

Post #15 of 19 (1246 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

On 8/24/09 3:04 PM, Aryeh Gregor wrote:
> On Mon, Aug 24, 2009 at 8:50 AM, Mark Clements
> (HappyDog)<gmane [at] kennel17> wrote:
>> Seriously, unless you are intentionally trying to scare people away from the
>> site, then this should be fixed.
>
> wikitech is mainly intended for Wikimedia tech staff, not the general
> public, so I assume that they don't care very much if the general
> public is scared away. Anyone who can use the site usefully
> presumably knows enough about HTTPS to understand that they can safely
> ignore the warning.

Pretty much, yeah. :) We put "real" certs on public-facing sites, but
just haven't bothered with what is essentially our tech department
intranet. (But since we're crazy people it's open if you want to look at
it!)

-- brion

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Ryan.Lane at ocean

Aug 24, 2009, 11:38 AM

Post #16 of 19 (1237 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

> Pretty much, yeah. :) We put "real" certs on public-facing sites, but
> just haven't bothered with what is essentially our tech department
> intranet. (But since we're crazy people it's open if you want
> to look at
> it!)
>

Wouldn't it be safer, and more convenient, to have internal sites use an
internally created CA instead of self-signed certificates? At least then users
would simply have to trust the CA once and not get the warning on other, or
future, internal sites.

V/r,

Ryan Lane

brion at wikimedia

Aug 24, 2009, 11:44 AM

Post #17 of 19 (1248 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

On 8/24/09 3:38 PM, Lane, Ryan wrote:
>> Pretty much, yeah. :) We put "real" certs on public-facing sites, but
>> just haven't bothered with what is essentially our tech department
>> intranet. (But since we're crazy people it's open if you want
>> to look at
>> it!)
>>
>
> Wouldn't it be safer, and more convenient, to have internal sites use an
> internally created CA instead of self-signed certificates?

Safer, but less convenient as it would take us a few extra minutes to
set up which we might as well spend on buying an $8 public-friendly cert. ;)

-- brion

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

tim at tim-landscheidt

Aug 24, 2009, 2:36 PM

Post #18 of 19 (1233 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Brion Vibber <brion [at] wikimedia> wrote:

>>> Pretty much, yeah. :) We put "real" certs on public-facing sites, but
>>> just haven't bothered with what is essentially our tech department
>>> intranet. (But since we're crazy people it's open if you want
>>> to look at
>>> it!)

>> Wouldn't it be safer, and more convenient, to have internal sites use an
>> internally created CA instead of self-signed certificates?

> Safer, but less convenient as it would take us a few extra minutes to
> set up which we might as well spend on buying an $8 public-friendly cert. ;)

Does this mean that if I make an earmarked donation we could
close this thread? :-)

Tim

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

nospam at vyznev

Aug 25, 2009, 5:30 AM

Post #19 of 19 (1214 views)
Permalink

Re: SSL certificates for Wikimedia sites [In reply to]

Tim Landscheidt wrote:
> Brion Vibber <brion [at] wikimedia> wrote:
>
>>>> Pretty much, yeah. :) We put "real" certs on public-facing sites, but
>>>> just haven't bothered with what is essentially our tech department
>>>> intranet. (But since we're crazy people it's open if you want
>>>> to look at
>>>> it!)
>
>>> Wouldn't it be safer, and more convenient, to have internal sites use an
>>> internally created CA instead of self-signed certificates?
>
>> Safer, but less convenient as it would take us a few extra minutes to
>> set up which we might as well spend on buying an $8 public-friendly cert. ;)
>
> Does this mean that if I make an earmarked donation we could
> close this thread? :-)

Can I chip in a few more bucks to get the old MD5-hashed certs (like the
one for bugzilla.wikimedia.org) replaced? They may technically still be
safe (if just barely), but at least the "SSL Blacklist" Firefox
extension throws up a big scary warning about them and it's annoying to
have to click through it.

--
Ilmari Karonen

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads