Problem with namecoin.info certificate [SSL, https]

[Ben]

When I try to access the forums (in Chromium) I get this security warning.

You attempted to reach forum.namecoin.info, but instead you actually reached a server identifying itself as srv0.eu. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of forum.namecoin.info.

Can this be fixed? I'm sure it must drive some people away.

[jonasbits]

Yeah this should be easy to fix, CAcert.org is the issuer. Firefox does not trust SSL from CAcert by default.

When I try to access the forums (in Chromium) I get this security warning.

You attempted to reach forum.namecoin.info, but instead you actually reached a server identifying itself as srv0.eu. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of forum.namecoin.info.

Can this be fixed? I'm sure it must drive some people away.

[biolizard89]

To my knowledge this is being worked on. khal or indolering would be able to tell you more.

[khal]

I just changed the certificate to a more valid one, but self signed (the one for srv0.eu was expired).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SHA1 Fingerprint=14:7D:31:8D:52:CD:43:61:32:91:F1:81:1B:C5:B9:CB:7B:25:4C:71
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJTFnVrAAoJEJzFuS6WXWmp9fYP/0KSBSqOH/dBTrVwhMNo/JBA
nCM7njYPB4xlIVddJhwrPc1JekBA7ctoMJk02NyIkmaIA+iu1dLBF/RgKeDqfHIZ
RthzkH27RyNRheGhwYFc+SZ5wgoIRajgP73cwhU8FeD5rMDiXh8LQlYZprI5FLYv
TJemavLtencFbZr9T+Xt6OslptV4d22hThckB3QA3Gr9WkeBRpU5ueRW/hlisMSL
hsVlAesoRsSm8qunmXRx6r4dyzdlnL9oO8zqmfYFPZU1sBnr+mTWKCyzoduZ2pin
sg9emNmvEnCVxIqXLWtttew0L7GrK6MzESMYAkdC/1poB3WktXtIkJ0EyWRaMTlq
OXjdRpxh4tCRHGs5eQSeW2GPE5kc4O6cZ/CE2YeEqwmBVOAHCqozoEfC232iQRJd
gNCqybh7t2X/rEEN6j9r4Jplg1LYnp9WeIusT8BvW5NeE28ROXOJ+KNGDNiTVcvf
8QO1OcJFw1O8uPY7W73y1xjj9FdsGRxjdGYRVRqrpk+TIvg8Ekiu8xisfgMmg9XZ
j6jmUaqWX6JUEEI3SgR7+glHbgEhblE14e007ZpCguXj+IopzUxh1PCC0fwAr1vg
tDsWwHWpxxRXyTUITTtN1Mv2fMzAjp/wofKeLsPKKIau4GzudOouW4BXdB/mfLpf
s+8YdjvIHWbJoWTrqTFd
=MrXu
-----END PGP SIGNATURE-----


There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.

So, for now, nothing has been done (except for the new self signed cert).

What are your opinion about this ?
Could we stay with a self signed certificate ?
Should we issue our own CA (can be manually added in browsers in 1 click) ? What are the pros/cons ?

[jonasbits]

Firefox and Safari does not trust CAcert.org by default, but Chrome does. Test it for your self by going to https://cacert.org/

A lot of power users are using Chrome or Chromium, maybe you can get some stats and check.
I think its worth the extra effort to do a CSR with CAcert.org ( http://wiki.cacert.org/HELP/4 )

Option 1: Common Names (CN) = *.namecoin.info
Option 2: Subject Alternative Names (SAN) = wiki.namecoin.info, forum.namecoin.info
According to this wiki page http://wiki.cacert.org/FAQ/subjectAltName they will not combine CN and SAN in the same cert.

There is a Firefox add-on that makes importing the root cert painless https://addons.mozilla.org/firefox/addo ... rtificate/
For Safari on OSX you need to download "root.der" and import it into Keychain ( http://www.cacert.org/index.php?id=3 )

Looking forward to a distributed https solution

To my knowledge this is being worked on. khal or indolering would be able to tell you more.

[domob]

I'm fine with self-signed in principle, but also noticed that nf.bit is broken (old certificate fingerprint). Apart from that, I like CAcert (I use it for email certificates and domob.eu myself) and would also support getting a cert from them. If everyone trusts me enough, I can even request the certificate with my own CAcert account (which is validated up to 100 points and allows for longer expirey time).

[ozmds]

There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.

Self-signed certs are fine for testing and can even be viable for a pre-installed limited audience, but they do nothing for new visitors to this forum. People curious about namecoin are hit smack in the face with the https certificate validation warning by their browser. Many/most will immediately flee to safety, taking with them the first impression that namecoin is a scary place full of unsavory types. Only the truly determined will press forward, either ignoring the cert warning or (like me) just editing the URL from "https" to "http".

This is bad for Namecoin.

Namecoin needs adoption, participation, and confidence. This forum needs to make a good first impression.

Having a site secured by conventional SSL with a CA cert is not an endorsement of central CA authority. It's a means to an end: working within the existing system that people are familiar with so that they will stick around long enough to learn about what it is you have to offer and how things could be done differently.

[biolizard89]

There are discussions about a CA validated certificate, but it would require us to buy a wildcard certificate to have something valid for all subdomains and it would cost ~60$/year.
I'm a bit reluctant to do this, due to the cost, but also to the fact that the CA system with third parties is not what we want to promote.

Self-signed certs are fine for testing and can even be viable for a pre-installed limited audience, but they do nothing for new visitors to this forum. People curious about namecoin are hit smack in the face with the https certificate validation warning by their browser. Many/most will immediately flee to safety, taking with them the first impression that namecoin is a scary place full of unsavory types. Only the truly determined will press forward, either ignoring the cert warning or (like me) just editing the URL from "https" to "http".

This is bad for Namecoin.

Namecoin needs adoption, participation, and confidence. This forum needs to make a good first impression.

Having a site secured by conventional SSL with a CA cert is not an endorsement of central CA authority. It's a means to an end: working within the existing system that people are familiar with so that they will stick around long enough to learn about what it is you have to offer and how things could be done differently.

I generally agree here; it's important to make a good first impression, and TLS warnings aren't a great way to do that. Of course, it's not my money being spent on the cert, so I realize that my opinion may not be the most relevant here.

[phelix]

We should either remove https alltogether or get a proper certificate.

Actually I'm not sure we need one at all. Namecoin TLS is important but I don't care much for a legacy certificate.

[phelix]

OK, what about a single site certificate for the main page but no https for the wiki etc?