Problem with namecoin.info certificate [SSL, https]

Ben
Posts: 65
Joined: Fri Dec 20, 2013 2:22 pm
os: linux

Problem with namecoin.info certificate [SSL, https]

Post by Ben »

When I try to access the forums (in Chromium) I get this security warning.
You attempted to reach forum.namecoin.info, but instead you actually reached a server identifying itself as srv0.eu. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of forum.namecoin.info.
Can this be fixed? I'm sure it must drive some people away.
N9kVqK8zrgtHvD6kD4yk3UgM2dkP2NykDr

jonasbits
Posts: 36
Joined: Tue Mar 04, 2014 4:47 pm
os: linux

Re: Problem with namecoin.info certificate

Post by jonasbits »

Yeah this should be easy to fix, CAcert.org is the issuer. Firefox does not trust SSL from CAcert by default.
Ben wrote:When I try to access the forums (in Chromium) I get this security warning.
You attempted to reach forum.namecoin.info, but instead you actually reached a server identifying itself as srv0.eu. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of forum.namecoin.info.
Can this be fixed? I'm sure it must drive some people away.
My Namecoin address: NC3HGHk527xuWZBgMdGJ2GxjpRSw8D4oA6

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Problem with namecoin.info certificate

Post by biolizard89 »

To my knowledge this is being worked on. khal or indolering would be able to tell you more.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

khal
Site Admin
Posts: 708
Joined: Mon May 09, 2011 5:09 pm
os: linux

Re: Problem with namecoin.info certificate

Post by khal »

I just changed the certificate to a more valid one, but self signed (the one for srv0.eu was expired).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1 Fingerprint=14:7D:31:8D:52:CD:43:61:32:91:F1:81:1B:C5:B9:CB:7B:25:4C:71
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJTFnVrAAoJEJzFuS6WXWmp9fYP/0KSBSqOH/dBTrVwhMNo/JBA
nCM7njYPB4xlIVddJhwrPc1JekBA7ctoMJk02NyIkmaIA+iu1dLBF/RgKeDqfHIZ
RthzkH27RyNRheGhwYFc+SZ5wgoIRajgP73cwhU8FeD5rMDiXh8LQlYZprI5FLYv
TJemavLtencFbZr9T+Xt6OslptV4d22hThckB3QA3Gr9WkeBRpU5ueRW/hlisMSL
hsVlAesoRsSm8qunmXRx6r4dyzdlnL9oO8zqmfYFPZU1sBnr+mTWKCyzoduZ2pin
sg9emNmvEnCVxIqXLWtttew0L7GrK6MzESMYAkdC/1poB3WktXtIkJ0EyWRaMTlq
OXjdRpxh4tCRHGs5eQSeW2GPE5kc4O6cZ/CE2YeEqwmBVOAHCqozoEfC232iQRJd
gNCqybh7t2X/rEEN6j9r4Jplg1LYnp9WeIusT8BvW5NeE28ROXOJ+KNGDNiTVcvf
8QO1OcJFw1O8uPY7W73y1xjj9FdsGRxjdGYRVRqrpk+TIvg8Ekiu8xisfgMmg9XZ
j6jmUaqWX6JUEEI3SgR7+glHbgEhblE14e007ZpCguXj+IopzUxh1PCC0fwAr1vg
tDsWwHWpxxRXyTUITTtN1Mv2fMzAjp/wofKeLsPKKIau4GzudOouW4BXdB/mfLpf
s+8YdjvIHWbJoWTrqTFd
=MrXu
-----END PGP SIGNATURE-----


There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.

So, for now, nothing has been done (except for the new self signed cert).

What are your opinion about this ?
Could we stay with a self signed certificate ?
Should we issue our own CA (can be manually added in browsers in 1 click) ? What are the pros/cons ?
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T

Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent

jonasbits
Posts: 36
Joined: Tue Mar 04, 2014 4:47 pm
os: linux

Re: Problem with namecoin.info certificate

Post by jonasbits »

Firefox and Safari does not trust CAcert.org by default, but Chrome does. Test it for your self by going to https://cacert.org/

A lot of power users are using Chrome or Chromium, maybe you can get some stats and check.
I think its worth the extra effort to do a CSR with CAcert.org ( http://wiki.cacert.org/HELP/4 )

Option 1: Common Names (CN) = *.namecoin.info
Option 2: Subject Alternative Names (SAN) = wiki.namecoin.info, forum.namecoin.info
According to this wiki page http://wiki.cacert.org/FAQ/subjectAltName they will not combine CN and SAN in the same cert.

There is a Firefox add-on that makes importing the root cert painless https://addons.mozilla.org/firefox/addo ... rtificate/
For Safari on OSX you need to download "root.der" and import it into Keychain ( http://www.cacert.org/index.php?id=3 )

Looking forward to a distributed https solution :-)
biolizard89 wrote:To my knowledge this is being worked on. khal or indolering would be able to tell you more.
My Namecoin address: NC3HGHk527xuWZBgMdGJ2GxjpRSw8D4oA6

domob
Posts: 1127
Joined: Mon Jun 24, 2013 11:27 am
Contact:

Re: Problem with namecoin.info certificate

Post by domob »

I'm fine with self-signed in principle, but also noticed that nf.bit is broken (old certificate fingerprint). Apart from that, I like CAcert (I use it for email certificates and domob.eu myself) and would also support getting a cert from them. If everyone trusts me enough, I can even request the certificate with my own CAcert account (which is validated up to 100 points and allows for longer expirey time).
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/

ozmds
Posts: 6
Joined: Wed Mar 05, 2014 6:01 am
os: windows
Contact:

Re: Problem with namecoin.info certificate

Post by ozmds »

khal wrote:There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.
Self-signed certs are fine for testing and can even be viable for a pre-installed limited audience, but they do nothing for new visitors to this forum. People curious about namecoin are hit smack in the face with the https certificate validation warning by their browser. Many/most will immediately flee to safety, taking with them the first impression that namecoin is a scary place full of unsavory types. Only the truly determined will press forward, either ignoring the cert warning or (like me) just editing the URL from "https" to "http".

This is bad for Namecoin.

Namecoin needs adoption, participation, and confidence. This forum needs to make a good first impression.

Having a site secured by conventional SSL with a CA cert is not an endorsement of central CA authority. It's a means to an end: working within the existing system that people are familiar with so that they will stick around long enough to learn about what it is you have to offer and how things could be done differently.

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: Problem with namecoin.info certificate

Post by biolizard89 »

ozmds wrote:
khal wrote:There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.
Self-signed certs are fine for testing and can even be viable for a pre-installed limited audience, but they do nothing for new visitors to this forum. People curious about namecoin are hit smack in the face with the https certificate validation warning by their browser. Many/most will immediately flee to safety, taking with them the first impression that namecoin is a scary place full of unsavory types. Only the truly determined will press forward, either ignoring the cert warning or (like me) just editing the URL from "https" to "http".

This is bad for Namecoin.

Namecoin needs adoption, participation, and confidence. This forum needs to make a good first impression.

Having a site secured by conventional SSL with a CA cert is not an endorsement of central CA authority. It's a means to an end: working within the existing system that people are familiar with so that they will stick around long enough to learn about what it is you have to offer and how things could be done differently.
I generally agree here; it's important to make a good first impression, and TLS warnings aren't a great way to do that. Of course, it's not my money being spent on the cert, so I realize that my opinion may not be the most relevant here.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: Problem with namecoin.info certificate

Post by phelix »

We should either remove https alltogether or get a proper certificate.

Actually I'm not sure we need one at all. Namecoin TLS is important but I don't care much for a legacy certificate.
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: Problem with namecoin.info certificate [SSL, https]

Post by phelix »

OK, what about a single site certificate for the main page but no https for the wiki etc?
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

Post Reply