| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-www(at)postgresql(dot)org |
| Subject: | Re: Community accounts and SSL |
| Date: | 2008-03-12 22:00:28 |
| Message-ID: | 1205359228.5803.18.camel@mha-laptop.clients.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Wed, 2008-03-12 at 14:33 -0700, Joshua D. Drake wrote:
> On Wed, 12 Mar 2008 17:25:11 -0400
> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> > "Joshua D. Drake" <jd(at)commandprompt(dot)com> writes:
> > > That is certainly one way, but do we really need that? Isn't a self
> > > signed cert good enough?
> >
> > Self-signed certs on a public-facing website scream of amateurism.
> > Every time someone visits the site, their browser will complain
> > about it, and quite rightly.
>
> Well that isn't true. It asks once and that's it. I will admit
> though that FF3 certainly makes it abundantly clear that it doesn't like
> it that first time. As far as the amateurism, opinion vary :).
It does not. If you click the proper button in your browser, it doesn't
even let you in. If you click the second-least-improper one, it will
complain every time. Only if you pick the one option you're really not
supposed to pick, does it only complain once.
I dunno aobut other browsers, but in firefox the "bitch again next
session" is the default, and in modern IE versions, not letting you in
at all is the default.
Using a self-signed certificate is only secure if you somehow distribute
the self-signed certificate to all clients but a different, secure,
path.
> > If you wanna do this, you need to pony up some cash to Verisign or
> > one of the other recognized CAs.
>
> Well like I said, we can do that. If that is the way the community
> wants to go. A 5 year wildcard cert which could be used across all
> subdomains is about 500.00.
Wildcard cert might be an option. I don't recall which browsers they are
supported these days. It's also a potential security issue - we can't
use them on something like a shared host somewhere. Perhaps one, or when
we get more requirements a couple, of regular certificates is a better
way to go?
The free option is to use CACert. It's not included by default in any
browser (I think - maybe some really new one has it), but it does have
an actual statement of trust along with it.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andreas 'ads' Scherbaum | 2008-03-12 22:01:13 | Re: PostgreSQL user documentation wiki open for business |
| Previous Message | Dave Page | 2008-03-12 21:51:48 | Re: PostgreSQL user documentation wiki open for business |