You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2007-06-29 13:06:29
- G_Syme
- Member
- Registered: 2007-01-04
- Posts: 83
SSL certificate and use?
Hi,
some time ago I've become aware of the presence of an SSL certificate for for the Arch homepage.
Unfortunately Firefox tells me that the site "Contains unauthenticated content". And if I try to visit the forum, wiki or AUR (with https://...), then I get redirected to the Arch homepage.
Is there a particular reason that on the one hand the infrastructure for SSL/https seems to be there, but on the other hand is not complete (in case of the Arch homepage) and not extended to the forum, wiki, and the AUR?
And if SSL is not intended to be used for the sub domains of archlinux.org, how are the login-processes for the forum/wiki/AUR handled/secured?
I ask mainly because of paranoia and secondly out of curiosity. 
The courageous enter dark caves alone.
The clever send in the courageous first.
The cleverest wait behind the clever.
Offline
#2 2007-06-29 17:16:26
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: SSL certificate and use?
Is there a particular reason that on the one hand the infrastructure for SSL/https seems to be there, but on the other hand is not complete (in case of the Arch homepage) and not extended to the forum, wiki, and the AUR?
The ssl cert was purchased long ago (and recently renewed) for www.archlinux.org only.
It is not a 'wildcard' ssl cert like you sometimes see, which would allow for *.archlinux.org (likely due to cost).
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#3 2007-07-06 00:05:55
- byte
- Member
- From: Düsseldorf (DE)
- Registered: 2006-05-01
- Posts: 2,046
Re: SSL certificate and use?
What about CAcert? No assurers around?
1000
Offline
#4 2008-07-18 18:40:00
- G_Syme
- Member
- Registered: 2007-01-04
- Posts: 83
Re: SSL certificate and use?
The ssl cert was purchased long ago (and recently renewed) for www.archlinux.org only.
It is not a 'wildcard' ssl cert like you sometimes see, which would allow for *.archlinux.org (likely due to cost).
It's been a while, but the situation has slightly changed, and I've also gained a bit of experience about PKIs, so I wanted to propose an idea.
As I've seen today, the ssl certificate for www.archlinux.org seems to have expired, because it's no longer there and has been replaced by a self-signed certificate for dev.archlinux.org.
As you're not using officially signed certs any longer, you could also do the following:
You could start your own certificate authority, make one certificate for each domain {aur,bbs,wiki,dev,bugs,www,etc}.archlinux.org, and sign each of these with your own root-cert. Then you would only have to spread the public key of your root cert, and every signed cert of yours would be recognized and accepted by the users.
I've found a really well-written howto here, and I've already tested it within my local network.
Once the root cert has been imported/accepted on the client system, all signed certs will be accepted, too. And if you ever wanted to get an officially signed cert, you would only need to have your root cert signed (e.g. by CAcert). But that is only an assumption, as I don't have any experience how to get signed by an official institution.
Or you could also ship your root cert with the installation iso, similar to Ubuntu shipping the public pgp-keys of their package-managers with there installation isos.
This is of course only a suggestion, but as I think everyone should be aware of the importance of encrypted and signed communication, and in the end everyone would benefit from it.
I'm pretty interested in everyone's feedback. Maybe there's even one who has experience about other distros and how they've handled that problem.
The courageous enter dark caves alone.
The clever send in the courageous first.
The cleverest wait behind the clever.
Offline
#5 2008-07-18 18:46:33
- Pierre
- Developer
- From: Bonn
- Registered: 2004-07-05
- Posts: 1,964
- Website
Re: SSL certificate and use?
The easiest way is to just use a *.archlinux.org cert signed by cacert. The root-cert of cacert is allready included in Arch and used by browsers like Konqueror.
Offline
#6 2008-07-18 19:38:41
- G_Syme
- Member
- Registered: 2007-01-04
- Posts: 83
Re: SSL certificate and use?
The easiest way is to just use a *.archlinux.org cert signed by cacert. [...]
That sounds reasonable. But your own PKI may have some advantages in the long run, e.g. if you would like to distribute packages via ssl host identification and want to also sign mirrors which to not fit in the *.archlinux.org wildcard, but that's really just an idea. For packages, it might be better to sign each package via PGP than to sign a mirror. But it might be a nifty addition. 
The courageous enter dark caves alone.
The clever send in the courageous first.
The cleverest wait behind the clever.
Offline
Pages: 1