okTurtles Forums › DNSChain › Self Sign Cert For These Forums Is Bad Idea
This topic contains 3 replies, has 3 voices, and was last updated by sysfu 10 years, 7 months ago.
-
AuthorPosts
-
May 24, 2014 at 1:01 pm #691
Hi,
Why are you using a self signed cert for these forums?
Not good.. Most users will NOT click past the security warnings; if the user's browser notifies the user at all.
On first page load of the forums, the forums load, but looked all screwed up and was wondering what was happen so I looked at Chrome log and noticed:
GET https://forums.okturtles.com/Themes/default/css/index.css?fin20 net::ERR_INSECURE_RESPONSE forums.okturtles.com/:4
GET https://forums.okturtles.com/Themes/default/css/webkit.css net::ERR_INSECURE_RESPONSE forums.okturtles.com/:5
GET https://forums.okturtles.com/Themes/default/css/jquery.jgrowl.css net::ERR_INSECURE_RESPONSE forums.okturtles.com/:58
GET https://forums.okturtles.com/Themes/default/scripts/script.js?fin20 net::ERR_INSECURE_RESPONSE forums.okturtles.com/:10
GET https://forums.okturtles.com/Themes/default/scripts/theme.js?fin20 net::ERR_INSECURE_RESPONSE forums.okturtles.com/:11
GET https://forums.okturtles.com/Themes/default/scripts/enotify.js net::ERR_INSECURE_RESPONSE (index):59
Uncaught ReferenceError: jQuery is not defined (index):61
GET https://forums.okturtles.com/Themes/default/scripts/sha1.js net::ERR_INSECURE_RESPONSE (index):102
Uncaught ReferenceError: smc_Toggle is not defined (index):130
Uncaught ReferenceError: smc_Toggle is not defined (index):352
GET http://piwik.okturtles.com/piwik.js net::ERR_BLOCKED_BY_CLIENT (index):388
GET https://forums.okturtles.com/Themes/default/images/upshrink.png net::ERR_INSECURE_RESPONSE (index):97
GET https://forums.okturtles.com/Themes/default/images/smflogo.png net::ERR_INSECURE_RESPONSE (index):98
GET https://forums.okturtles.com/Themes/default/images/off.png net::ERR_INSECURE_RESPONSE (index):214
GET https://forums.okturtles.com/Themes/default/images/new_none.png net::ERR_INSECURE_RESPONSE (index):304
GET https://forums.okturtles.com/Themes/default/images/new_redirect.png net::ERR_INSECURE_RESPONSE (index):305
GET https://forums.okturtles.com/Themes/default/images/collapse.gif net::ERR_INSECURE_RESPONSE (index):312
GET https://forums.okturtles.com/Themes/default/images/icons/info.gif net::ERR_INSECURE_RESPONSE (index):320
GET https://forums.okturtles.com/Themes/default/images/icons/online.gif net::ERR_INSECURE_RESPONSE (index):334
GET https://forums.okturtles.com/index.php?scheduled=task;ts=1400925480 net::ERR_INSECURE_RESPONSE (index):85So then I “forced” SSL via “https everywhere” which then caused the page to display chrome's security warning about an invalid cert.
Of course I then see that you have self signed the forums.
No one besides me probally will do this much work. And I see these forums are not even being used anyways.
But this is 1 good reason they are NOT being read…
Thanks,
Will
May 24, 2014 at 8:34 pm #836Hi,
Why are you using a self signed cert for these forums?
Because paying for a cert would look and be hypocritical to the work that we're doing.
Not good.. Most users will NOT click past the security warnings; if the user's browser notifies the user at all.
On first page load of the forums, the forums load, but looked all screwed up and was wondering what was happen so I looked at Chrome log and noticed:
GET https://forums.okturtles.com/Themes/default/css/index.css?fin20 net::ERR_INSECURE_RESPONSE forums.okturtles.com/:4
GET https://forums.okturtles.com/Themes/default/css/webkit.css net::ERR_INSECURE_RESPONSE forums.okturtles.com/:5
GET https://forums.okturtles.com/Themes/default/css/jquery.jgrowl.css net::ERR_INSECURE_RESPONSE forums.okturtles.com/:58
GET https://forums.okturtles.com/Themes/default/scripts/script.js?fin20 net::ERR_INSECURE_RESPONSE forums.okturtles.com/:10
GET https://forums.okturtles.com/Themes/default/scripts/theme.js?fin20 net::ERR_INSECURE_RESPONSE forums.okturtles.com/:11
GET https://forums.okturtles.com/Themes/default/scripts/enotify.js net::ERR_INSECURE_RESPONSE (index):59
Uncaught ReferenceError: jQuery is not defined (index):61
GET https://forums.okturtles.com/Themes/default/scripts/sha1.js net::ERR_INSECURE_RESPONSE (index):102
Uncaught ReferenceError: smc_Toggle is not defined (index):130
Uncaught ReferenceError: smc_Toggle is not defined (index):352
GET http://piwik.okturtles.com/piwik.js net::ERR_BLOCKED_BY_CLIENT (index):388
GET https://forums.okturtles.com/Themes/default/images/upshrink.png net::ERR_INSECURE_RESPONSE (index):97
GET https://forums.okturtles.com/Themes/default/images/smflogo.png net::ERR_INSECURE_RESPONSE (index):98
GET https://forums.okturtles.com/Themes/default/images/off.png net::ERR_INSECURE_RESPONSE (index):214
GET https://forums.okturtles.com/Themes/default/images/new_none.png net::ERR_INSECURE_RESPONSE (index):304
GET https://forums.okturtles.com/Themes/default/images/new_redirect.png net::ERR_INSECURE_RESPONSE (index):305
GET https://forums.okturtles.com/Themes/default/images/collapse.gif net::ERR_INSECURE_RESPONSE (index):312
GET https://forums.okturtles.com/Themes/default/images/icons/info.gif net::ERR_INSECURE_RESPONSE (index):320
GET https://forums.okturtles.com/Themes/default/images/icons/online.gif net::ERR_INSECURE_RESPONSE (index):334
GET https://forums.okturtles.com/index.php?scheduled=task;ts=1400925480 net::ERR_INSECURE_RESPONSE (index):85So then I “forced” SSL via “https everywhere” which then caused the page to display chrome's security warning about an invalid cert.
Of course I then see that you have self signed the forums.
No one besides me probally will do this much work. And I see these forums are not even being used anyways.
But this is 1 good reason they are NOT being read…
Thanks,
Will
Yes, you're absolutely right about all of that, except I think that the process didn't have to be as complicated (using HTTPS everywhere) as you had it.
To address those errors you saw: I think what may have happened is that you probably visited the HTTP version of the site, and possibly you had visited (prior to that) some HTTPS version of this site or another subdomain, sometime within the past 24 hours. Last night I enabled HSTS on this site, but had includeSubDomains enabled and didn't have redirection done yet on this subdomain (from HTTP to HTTPS). So… I think I've fixed all that now.
Still, I agree that having to get past the regular browser warning is too much of a barrier for this forum to be of much use (and incidentally why both the main site and the blog are served over HTTP).
Therefore, until we release the okTurtles browser extension that's able to modify browsers to not show the warning if the site verifies OK over DNSChain, I've removed most of the links to these forums, and edited this blog post to note that we may be using a mailing list software in the meantime instead of the forums.
For now, the community is on Freenode IRC's #dnschain channel. Keep an eye on the blog and @okTurtles/@DNSChain twitter accounts for news about the mailing list.
Thanks for going through all that trouble though to point out this issue! 🙂
May 27, 2014 at 2:29 am #837Actually, I just recently discovered that I could get a free SSL cert for these forums from StartSSL, so I've installed it and that should address all of your concerns.
Still, I'd like to know: do you prefer we use these forums for the community or a mailing list?
May 27, 2014 at 5:01 pm #838There's also the CACert route. Not sure how much having to install the root cert would throw off the OKTurtles userbase, but my guess is that it's a technically savvy audience for the most part so 'not too much'.
-
AuthorPosts
You must be logged in to reply to this topic.