Can this be fixed? I'm sure it must drive some people away.You attempted to reach forum.namecoin.info, but instead you actually reached a server identifying itself as srv0.eu. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of forum.namecoin.info.
Problem with namecoin.info certificate [SSL, https]
Problem with namecoin.info certificate [SSL, https]
When I try to access the forums (in Chromium) I get this security warning.
N9kVqK8zrgtHvD6kD4yk3UgM2dkP2NykDr
Re: Problem with namecoin.info certificate
Yeah this should be easy to fix, CAcert.org is the issuer. Firefox does not trust SSL from CAcert by default.
Ben wrote:When I try to access the forums (in Chromium) I get this security warning.
Can this be fixed? I'm sure it must drive some people away.You attempted to reach forum.namecoin.info, but instead you actually reached a server identifying itself as srv0.eu. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of forum.namecoin.info.
My Namecoin address: NC3HGHk527xuWZBgMdGJ2GxjpRSw8D4oA6
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Problem with namecoin.info certificate
To my knowledge this is being worked on. khal or indolering would be able to tell you more.
Re: Problem with namecoin.info certificate
I just changed the certificate to a more valid one, but self signed (the one for srv0.eu was expired).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SHA1 Fingerprint=14:7D:31:8D:52:CD:43:61:32:91:F1:81:1B:C5:B9:CB:7B:25:4C:71
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJTFnVrAAoJEJzFuS6WXWmp9fYP/0KSBSqOH/dBTrVwhMNo/JBA
nCM7njYPB4xlIVddJhwrPc1JekBA7ctoMJk02NyIkmaIA+iu1dLBF/RgKeDqfHIZ
RthzkH27RyNRheGhwYFc+SZ5wgoIRajgP73cwhU8FeD5rMDiXh8LQlYZprI5FLYv
TJemavLtencFbZr9T+Xt6OslptV4d22hThckB3QA3Gr9WkeBRpU5ueRW/hlisMSL
hsVlAesoRsSm8qunmXRx6r4dyzdlnL9oO8zqmfYFPZU1sBnr+mTWKCyzoduZ2pin
sg9emNmvEnCVxIqXLWtttew0L7GrK6MzESMYAkdC/1poB3WktXtIkJ0EyWRaMTlq
OXjdRpxh4tCRHGs5eQSeW2GPE5kc4O6cZ/CE2YeEqwmBVOAHCqozoEfC232iQRJd
gNCqybh7t2X/rEEN6j9r4Jplg1LYnp9WeIusT8BvW5NeE28ROXOJ+KNGDNiTVcvf
8QO1OcJFw1O8uPY7W73y1xjj9FdsGRxjdGYRVRqrpk+TIvg8Ekiu8xisfgMmg9XZ
j6jmUaqWX6JUEEI3SgR7+glHbgEhblE14e007ZpCguXj+IopzUxh1PCC0fwAr1vg
tDsWwHWpxxRXyTUITTtN1Mv2fMzAjp/wofKeLsPKKIau4GzudOouW4BXdB/mfLpf
s+8YdjvIHWbJoWTrqTFd
=MrXu
-----END PGP SIGNATURE-----
There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.
So, for now, nothing has been done (except for the new self signed cert).
What are your opinion about this ?
Could we stay with a self signed certificate ?
Should we issue our own CA (can be manually added in browsers in 1 click) ? What are the pros/cons ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SHA1 Fingerprint=14:7D:31:8D:52:CD:43:61:32:91:F1:81:1B:C5:B9:CB:7B:25:4C:71
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJTFnVrAAoJEJzFuS6WXWmp9fYP/0KSBSqOH/dBTrVwhMNo/JBA
nCM7njYPB4xlIVddJhwrPc1JekBA7ctoMJk02NyIkmaIA+iu1dLBF/RgKeDqfHIZ
RthzkH27RyNRheGhwYFc+SZ5wgoIRajgP73cwhU8FeD5rMDiXh8LQlYZprI5FLYv
TJemavLtencFbZr9T+Xt6OslptV4d22hThckB3QA3Gr9WkeBRpU5ueRW/hlisMSL
hsVlAesoRsSm8qunmXRx6r4dyzdlnL9oO8zqmfYFPZU1sBnr+mTWKCyzoduZ2pin
sg9emNmvEnCVxIqXLWtttew0L7GrK6MzESMYAkdC/1poB3WktXtIkJ0EyWRaMTlq
OXjdRpxh4tCRHGs5eQSeW2GPE5kc4O6cZ/CE2YeEqwmBVOAHCqozoEfC232iQRJd
gNCqybh7t2X/rEEN6j9r4Jplg1LYnp9WeIusT8BvW5NeE28ROXOJ+KNGDNiTVcvf
8QO1OcJFw1O8uPY7W73y1xjj9FdsGRxjdGYRVRqrpk+TIvg8Ekiu8xisfgMmg9XZ
j6jmUaqWX6JUEEI3SgR7+glHbgEhblE14e007ZpCguXj+IopzUxh1PCC0fwAr1vg
tDsWwHWpxxRXyTUITTtN1Mv2fMzAjp/wofKeLsPKKIau4GzudOouW4BXdB/mfLpf
s+8YdjvIHWbJoWTrqTFd
=MrXu
-----END PGP SIGNATURE-----
There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.
So, for now, nothing has been done (except for the new self signed cert).
What are your opinion about this ?
Could we stay with a self signed certificate ?
Should we issue our own CA (can be manually added in browsers in 1 click) ? What are the pros/cons ?
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
Re: Problem with namecoin.info certificate
Firefox and Safari does not trust CAcert.org by default, but Chrome does. Test it for your self by going to https://cacert.org/
A lot of power users are using Chrome or Chromium, maybe you can get some stats and check.
I think its worth the extra effort to do a CSR with CAcert.org ( http://wiki.cacert.org/HELP/4 )
Option 1: Common Names (CN) = *.namecoin.info
Option 2: Subject Alternative Names (SAN) = wiki.namecoin.info, forum.namecoin.info
According to this wiki page http://wiki.cacert.org/FAQ/subjectAltName they will not combine CN and SAN in the same cert.
There is a Firefox add-on that makes importing the root cert painless https://addons.mozilla.org/firefox/addo ... rtificate/
For Safari on OSX you need to download "root.der" and import it into Keychain ( http://www.cacert.org/index.php?id=3 )
Looking forward to a distributed https solution
A lot of power users are using Chrome or Chromium, maybe you can get some stats and check.
I think its worth the extra effort to do a CSR with CAcert.org ( http://wiki.cacert.org/HELP/4 )
Option 1: Common Names (CN) = *.namecoin.info
Option 2: Subject Alternative Names (SAN) = wiki.namecoin.info, forum.namecoin.info
According to this wiki page http://wiki.cacert.org/FAQ/subjectAltName they will not combine CN and SAN in the same cert.
There is a Firefox add-on that makes importing the root cert painless https://addons.mozilla.org/firefox/addo ... rtificate/
For Safari on OSX you need to download "root.der" and import it into Keychain ( http://www.cacert.org/index.php?id=3 )
Looking forward to a distributed https solution
biolizard89 wrote:To my knowledge this is being worked on. khal or indolering would be able to tell you more.
My Namecoin address: NC3HGHk527xuWZBgMdGJ2GxjpRSw8D4oA6
Re: Problem with namecoin.info certificate
I'm fine with self-signed in principle, but also noticed that nf.bit is broken (old certificate fingerprint). Apart from that, I like CAcert (I use it for email certificates and domob.eu myself) and would also support getting a cert from them. If everyone trusts me enough, I can even request the certificate with my own CAcert account (which is validated up to 100 points and allows for longer expirey time).
BTC: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS
Use your Namecoin identity as OpenID: https://nameid.org/
Re: Problem with namecoin.info certificate
Self-signed certs are fine for testing and can even be viable for a pre-installed limited audience, but they do nothing for new visitors to this forum. People curious about namecoin are hit smack in the face with the https certificate validation warning by their browser. Many/most will immediately flee to safety, taking with them the first impression that namecoin is a scary place full of unsavory types. Only the truly determined will press forward, either ignoring the cert warning or (like me) just editing the URL from "https" to "http".khal wrote:There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.
This is bad for Namecoin.
Namecoin needs adoption, participation, and confidence. This forum needs to make a good first impression.
Having a site secured by conventional SSL with a CA cert is not an endorsement of central CA authority. It's a means to an end: working within the existing system that people are familiar with so that they will stick around long enough to learn about what it is you have to offer and how things could be done differently.
NameID: id/dannythorpe
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: Problem with namecoin.info certificate
I generally agree here; it's important to make a good first impression, and TLS warnings aren't a great way to do that. Of course, it's not my money being spent on the cert, so I realize that my opinion may not be the most relevant here.ozmds wrote:Self-signed certs are fine for testing and can even be viable for a pre-installed limited audience, but they do nothing for new visitors to this forum. People curious about namecoin are hit smack in the face with the https certificate validation warning by their browser. Many/most will immediately flee to safety, taking with them the first impression that namecoin is a scary place full of unsavory types. Only the truly determined will press forward, either ignoring the cert warning or (like me) just editing the URL from "https" to "http".khal wrote:There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.
This is bad for Namecoin.
Namecoin needs adoption, participation, and confidence. This forum needs to make a good first impression.
Having a site secured by conventional SSL with a CA cert is not an endorsement of central CA authority. It's a means to an end: working within the existing system that people are familiar with so that they will stick around long enough to learn about what it is you have to offer and how things could be done differently.
Re: Problem with namecoin.info certificate
We should either remove https alltogether or get a proper certificate.
Actually I'm not sure we need one at all. Namecoin TLS is important but I don't care much for a legacy certificate.
Actually I'm not sure we need one at all. Namecoin TLS is important but I don't care much for a legacy certificate.