[HCoop-Discuss] TLS Perfect Forward Secrecy etc.
Sajith T S
sajith at hcoop.net
Fri Apr 18 10:17:28 EDT 2014
Clinton Ebadi <clinton at unknownlamer.org> wrote:
> A short-term solution, at least for signing up new members, would be to
> accept Gandi's offer of a free one year certification, and move the join
> scripts to hcoop.net/join instead of join.hcoop.net. This would at least
> improve the initial impression of hcoop, and costs us nothing. Thoughts?
> I am inclined to just grab the certificate when I renew hcoop.net (I
> think since it doesn't involve money, this falls under authority
> delegated to sysadmin volunteers).
Taking up Gandi's offer actually sounds like a good idea to me. I am
also inclined to trust Gandi more than StartSSL, but I must also admit
the complete lack of objectivity in my trust.
> If we go with StartSSL, we have to appoint a certmaster who has their
> identity verified ($60/year), and also verify the organization yearly
> (another $60). At that price, it *might* be worth spending $160/year for
> a Gandi wildcard cert, although there are some security advantages to
> issuing separate certifications per subdomain and the StartSSL option
> provides identity information. I am not sure we are actually permitted
> to use a wildcard cert either, since we offer subdomains to members
> freely. Perhaps as long as the cert doesn't include identity
> information? I think a wiki page for discussion is in order (hint hint,
> nudge nudge).
About attaching identity to the cert, I'm not sure it's worth all the
money and trouble. Not seeing a big honking warning from the browser
would be good enough. :) And if it's cheaper, certs for just the more
critical subdomains (members, mail) would be good enough too.
Btw, I started a wiki page.
http://wiki.hcoop.net/HeartBleedAfterMath
It's not even sketchy, and I am sorry about the page URL: turns out I
can't rename it or just start a new properly titled page without
leaving a dangling one behind. I would be happy if someone could fix
that.
Also, the wiki encountered an internal server error when I requested a
password reset. It emailed me a reset token anyway, but another
internal server error happened when I created a new password. And
then it let me use the new password. What's up with that?
--
"the lyf so short, the craft so long to lerne."
-- Chaucer.
More information about the HCoop-Discuss
mailing list