Thanks for SSL

Quantumstate · 06-28-2011, 10:13 AM

Just wanted to say Thanks for implementing SSL. I think it's more and more important these days to use encrypted channels for everything.

Did you have to buy a cert from one of the authorities? I noticed I didn't have to accept a cert in Konqueror.

acid_kewpie · 06-28-2011, 10:18 AM

There is no way a site like this would possibly just use a self signed cert, that'd be mad. If you look at the cert, you'll see it's from Equifax.

Quantumstate · 06-28-2011, 12:48 PM

Ultimately from Equifax. But was it through some open-source intermediary under some kind of non-profit agreement?

This is the reason for my question. I know of at least one free CA, although I don't know whether its cert is in all browsers.

jeremy · 06-28-2011, 02:46 PM

It is not through "some open-source intermediary under some kind of non-profit agreement". It was purchased as a standard QuickSSL certificate.

--jeremy

Quantumstate · 06-28-2011, 10:46 PM

Why do you put that in quotes? Do you have some kind of problem with me asking?

acid_kewpie · 06-29-2011, 12:37 AM

I'm sure there's no problem, but just because this is a site about Linux doesn't mean that everything about it is $0 and done through non-profit trusts. Linux runs on servers, which costs money, the servers use network bandwidth which costs money, the servers use electricity and cooling, which costs money. Enterprises using Linux often generate a lot of money. And due to the slightly odd notion of trusted CA's SSL certs implemented in the more professional way also involves money.

jeremy · 06-29-2011, 08:34 AM

No problem with you asking, I used quotes to directly answer your question.

--jeremy

craigevil · 07-12-2011, 10:07 PM

Getting the expired cert message using Firefox.

CQ1ST · 07-12-2011, 10:26 PM

@acid_kewpie It's a good reminder you voiced there about the costs all this free stuff actually involve

Yes. Thanks Heaps for the SSL, it's nice and fast.

MrCode · 07-12-2011, 11:34 PM

Quote:

Originally Posted by craigevil

Getting the expired cert message using Firefox.

Same here… :-\

acid_kewpie · 07-13-2011, 01:35 AM

We're aware, thanks for letting us now. It'll be sorted today I'm sure.

jeremy · 07-13-2011, 08:02 AM

The expired cert has been replaced with a new 2048bit one. Thanks again for the heads up.

--jeremy

Peufelon · 08-07-2011, 01:00 PM

I also thank LQ for finally implementing SSL as per https://www.httpsnow.org/

But I only just discovered this today, by accident! Shouldn't this be the default? Shouldn't users who for some reason cannot use https be directed to an instruction page for how to obtain it, and everyone else just get https connection?

Also, about the "remember me": according to what I have been told, checking this means that the forum software assumes you have a fixed IP and will automatically log anyone using that IP into your LQ user account. This could be very dangerous for those of us who do not come here from fixed IPs. Can some LQ official give a clear and correct explanation of what checking "remember me" does at LQ?

When I use the feature, I see a lock icon for a second, which is then replaced by another icon, and a mouse over pops up "Warning! Contains unauthenticated content". I presume this is due to problems with RSS feeds or something like that?

Has anyone carefully checked that username and password are transmitted properly encrypted for those using the https feature?

I believe I may have been targeted, or at least affected, by the 15 March 2011 incident known as Comodogate, and by a 15 June 2011 repeat. So I am very concerned that https work properly for me at LQ.

jeremy · 08-07-2011, 03:52 PM

We don't currently have the resources to make https the default for everyone, but it's something we offer for those interested. We currently do not serve images via https, hence the warning in some browsers. "Remember Me" is in no way related to IP address, it simply sets a browser cookie that keeps you logged in across sessions.

--jeremy

Peufelon · 08-07-2011, 07:04 PM

Quote:

We currently do not serve images via https,

Fine by me, since I disable image loading anyway, for security reasons. I also have disabled Java and javascript.

Quote:

"Remember Me" is in no way related to IP address, it simply sets a browser cookie that keeps you logged in across sessions.

What if someone steals such a login session cookie? How long is it valid? At some sites it is apparently for a year. That could be disastrous.

In principle, my IP should appear different each time I visit, and could be reused by thousands of different visitors, so it is critically important not to confuse me with any of them.

I have noticed some alarming phenomena which I will explain if further observation confirms (I have only been experimenting with the https for a day).