GNOME Bugzilla – Bug 667231
Certificate for l10n.gnome.org
Last modified: 2013-03-06 13:56:52 UTC
Right now, the authentication on l10n.gnome.org (module Damned-Lies[1]) is done in http. Could we obtain a SSL certificate to enable https to login users? [1] http://git.gnome.org/browse/damned-lies
We could also turn https on for everything. However, IE users will get an annoying warning (doesn't trust startssl). Ok?
Is it possible to send plain HTTP for IE users (so they do not get the warning) and HTTPS for any other browser?
Don't really like that option. IE users can test it by going to either https://bugzilla.gnome.org/, or https://live.gnome.org/ + some other sites
Hi Olav, I did a test with an IE 6.0 and showed no warning. IE is the list of browsers supported by this certificate. I am a translator, and I think it is very important to test more inclusive of SSL on the DL. http://www.startssl.com/?app=40
I have IE8.0 at work under Windows XP, and it always shows a warning. It seems there is a patch for Windows XP to support it, http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/ Did you specifically install this patch? I'm wondering if the Windows XP is missing some normal update. The reason various GNOME websites still default to http is: 1. Multiple websites on one IP address (IE on Windows XP cannot handle that) 2. That SSL warning IE gives me under Windows XP If my machine is the exception, then we can go ahead and enable SSL for most of the GNOME websites.
Olav, I can confirm that the certificate is NOT trusted with Windows XP and IE8 on my work PC. I am pretty sure all updates are installed here by the IT-Support.
Olav, As I said earlier, I had no problem in opening https sites with the domain of GNOME. Here are a few screenshots with machine information. The only update that has Windows XP SP2. http://pelivre.org/fernandes/imgs/certificate_https_gnome.jpg http://pelivre.org/fernandes/imgs/certificate_ie_xp.jpg http://pelivre.org/fernandes/imgs/version_xp_ie.jpg This SSL certificate startssl uses no intermediate certificate? I have some vhosts, using the same IP with a WildCard certificate and got set up without any problems. I used the technique of SNI (Service Name Indication) in Apache.
I have Windows XP SP3. I still had to install the root certificate update for the error messages to go away. The free certificates are not wildcards, so it needs SNI if you have multiple on one IP address, and that doesn't work with IE on Windows XP. This doesn't matter for l10n.gnome.org though, only thing on that IP address. I'm wondering how many people have this root certificate update. We've been using it on GNOME Bugzilla for ages, so maybe we can just ignore...
In general I think there are only few people who manually installed the certificate. On the other hand the number of IE users on Windows accessing l10n.gnome.org are probably minimal and can be ignored (statistics?).
Good point Johannes, actually most of the GNOME translators will be already using GNOME hopefully so we can just ignore the IE users :)
+1 I agree. I think we have to have security for users. I think installing a certificate is not so difficult if the browser needs.
Any progress so far, what can I do to make this happen sooner than later, setting aside asking countlessly? :)
The only one who can create certificates at the moment is Jeff Schroeder..
As soon as Jeff provides us with a new certificate (that will probably cover other services currently in need of a cert like git.g.o, library.g.o, developer.g.o and more) we can enable SSL on the specified hosts.
Where should we send the bottles of Jeff preferred beverage so that this happens? :) (aka friendly-ping...)
The certificate has been added yesterday. All requests to port 80 are now redirect to port 443.
Perfect!