[Noisebridge-discuss] noisebridge.net SSL cert

Jeffrey Malone ieatlint at tehinterweb.com
Wed Feb 3 20:29:01 UTC 2010 

I'm going to take this opportunity to point out that while our SSL
cert is for https://www.noisebridge.net/, our logo says
https://noisebridge.net ...

Perhaps we should be getting a cert for both www.noisebridge.net and
noisebridge.net ?

Jeffrey

On Wed, Feb 3, 2010 at 12:23 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> Brian Ferrell wrote:
>>> Can you give an example of a URL that is not handled by the current
>>> rewrite setup?  AFAICS every URL with "//noisebridge.net" in it already
>>> gets 302'd over to "https://www.noisebridge.net".
>>>
>>> -andy
>>>
>>
>> https://noisebridge.net/wiki/Noisebridge
>
> It is absolutely worthless to encourage people to accept certificates
> that are not valid for a given host name. SSL/TLS are already mostly
> worthless - lets not take away the last few things of value.
>
> http://noisebridge.net/wiki/Noisebridge will properly redirect while
> https://noisebridge.net/wiki/Noisebridge cannot and should not redirect.
>
> You can not (that I know of) cause a redirect in the SSL/TLS handshake.
>
> A browser (firefox, others) will fail to get to any HTTP 302 without
> accepting an invalid certificate. There is a TLS name extension but this
> isn't a redirect and requires a different certificate anyway. I don't
> think we should encourage people by adding a redirect for an incorrect
> hostname, it's not safe.
>
> If you're starting off by speaking 443 and you care a great deal, you
> should pick your host name correctly.
>
> If you're using port 80, you can be high-jacked and redirected. Sadly,
> an attacker can do this too. You can't bootstrap HTTPS security with the
> hodgepodge of HTTP insecurity.
>
> The set of HTTP redirects is largely a convenience for people who are
> too lazy to type a full URL starting with https://.
>
> Best,
> Jake
>
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
>

More information about the Noisebridge-discuss mailing list