[Noisebridge-discuss] noisebridge.net SSL cert

Matt Peterson matt at peterson.org
Wed Feb 3 20:39:40 UTC 2010 

Wildcard (*.domain.tld) as a common name is the general hack to
supporting multiple domains.  However, for supporting www & domain.tld -
I'd suggest using a cert with Subject Alternative Names.  These certs
can be found on store.apple.com, squareup.com, etc.

A 2 yr valid cert from Verisign (largest CA root install base, I
assume) is around $1200 for 2 supported hostnames.

On Wed, Feb 03, 2010 at 12:29:01PM -0800, Jeffrey Malone wrote:
> I'm going to take this opportunity to point out that while our SSL
> cert is for https://www.noisebridge.net/, our logo says
> https://noisebridge.net ...
> 
> Perhaps we should be getting a cert for both www.noisebridge.net and
> noisebridge.net ?
> 
> Jeffrey
> 
> On Wed, Feb 3, 2010 at 12:23 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> > Brian Ferrell wrote:
> >>> Can you give an example of a URL that is not handled by the current
> >>> rewrite setup? ?AFAICS every URL with "//noisebridge.net" in it already
> >>> gets 302'd over to "https://www.noisebridge.net".
> >>>
> >>> -andy
> >>>
> >>
> >> https://noisebridge.net/wiki/Noisebridge
> >
> > It is absolutely worthless to encourage people to accept certificates
> > that are not valid for a given host name. SSL/TLS are already mostly
> > worthless - lets not take away the last few things of value.
> >
> > http://noisebridge.net/wiki/Noisebridge will properly redirect while
> > https://noisebridge.net/wiki/Noisebridge cannot and should not redirect.
> >
> > You can not (that I know of) cause a redirect in the SSL/TLS handshake.
> >
> > A browser (firefox, others) will fail to get to any HTTP 302 without
> > accepting an invalid certificate. There is a TLS name extension but this
> > isn't a redirect and requires a different certificate anyway. I don't
> > think we should encourage people by adding a redirect for an incorrect
> > hostname, it's not safe.
> >
> > If you're starting off by speaking 443 and you care a great deal, you
> > should pick your host name correctly.
> >
> > If you're using port 80, you can be high-jacked and redirected. Sadly,
> > an attacker can do this too. You can't bootstrap HTTPS security with the
> > hodgepodge of HTTP insecurity.
> >
> > The set of HTTP redirects is largely a convenience for people who are
> > too lazy to type a full URL starting with https://.
> >
> > Best,
> > Jake
> >
> >
> > _______________________________________________
> > Noisebridge-discuss mailing list
> > Noisebridge-discuss at lists.noisebridge.net
> > https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
> >
> >
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss

More information about the Noisebridge-discuss mailing list