GNOME Bugzilla – Bug 64149
The List Info pages for the mailing lists should not use SSL
Last modified: 2007-08-15 16:42:54 UTC
This is only indirectly related to the Gimp and www.gimp.org, but the List Info pages for the Gimp mailing lists (lists.xcf.berkeley.edu) are currently redirecting all HTTP requests to the same pages but using secure connections (HTTP over SSL). Request: GET http://lists.xcf.berkeley.edu/mailman/listinfo/gimp-developer/ Response: HTTP/1.0 302 Moved Temporarily Location: https://lists.xcf.berkeley.edu/mailman/listinfo/gimp-developer/ I do not understand why the standard HTTP access to these pages is blocked and redirected, because there is no confidential information on these pages (except for the list admins, but then they can use the secure version and let everybody else use the standard version). There are two problems with the secure connections: - Some browsers do not support SSL or TLS, so the users have to switch to a different browser in order to access these pages and subscribe or unsubscribe from the mailing lists. - The certificates used on lists.xcf.berkeley.edu are self-signed and have not been signed by a trusted CA (such as Thawte, Verisign or others). As a result, most browsers display a warning and the user has to go through several dialogs in order to accept the certificate. In some (corporate) environments that have strict security policies, the browsers are even configured to reject all non-trusted CAs, which means that the users have no way to connect at all. It would be much better to allow access to both the secure and insecure pages and leave the choice to the users.
To make the problem worse, the SSL certificate for the web server (lists.xcf.berkeley.edu) has expired today. Some browsers will refuse to load the pages if the certificate has expired, so the users of these browsers have no way to load these pages.
*** This bug has been marked as a duplicate of 75398 ***
Sorry, of course this is not a duplicate.
Changes at the request of Dave Neary on the developer mailing list. I am changing many of the bugzilla reports that have not specified a target milestone to Future milestone. Hope that is acceptable.
Milestoning Future - this doesn't look like it'll be done any time soon. Dave.
If nothing will ever be done about this, I suggest closing it as WONTFIX. Any comments?
Changing all www.gimp.org bugs from gimp product to the gimp-web product, including old closed/fixed bugs, and reassigning.
Re-assigning all bug reports related to the mailing lists to the "mailing lists" component. Let's hope that we are done with all these Bugzilla changes....
The URL field has been removed from bugzilla.gnome.org. This URL was in the old URL field, and is being added as a comment so that the data is not lost. Please email bugmaster@gnome.org if you have any questions. URL: http://www.gimp.org/mailing_list.html
The SSL certificate has expired again (actually, some time ago): 25.10.2004 07:13:49 GMT Maybe we should come up with a way to motivate the maintainer to a) assemble the new list server and b) install a new certificate on it? Does anyone have spare ducks?
The certificate is valid again (until 2006-11-06), so we're back at the issue of using SSL at all.
2006-11-06 is a bit in the past now, and the certificate has not been updated.
IMO we should handle the certificate issue in bug #389193.
Considering that the design of the list info pages includes also the part that allows one to perform administrative actions (changing password, etc.), the usage of SSL can be explained. This is poor design, but that's all we have for now. The number of browsers or command-line user agents that do not support SSL is probably insignificant compared to 6 years ago when this bug was originally reported, so the usage of SSL is much less of an issue now. However, we still have the issue that some browsers will refuse to load pages using self-signed certificates or certificates that are otherwise invalid or have expired. So we can focus on this in bug #389193. *** This bug has been marked as a duplicate of 389193 ***