On Friday, 21 February 2014 at 23:10:12 UTC, Jan Knepper wrote:
> On 2/21/14, 3:40 PM, Walter Bright wrote:
>> On 2/21/2014 12:35 PM, Dicebot wrote:
>>> On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:
>>>> dlang.org and dconf.org now support https,
>>>>
>>>> https://dlang.org
>>>> https://dconf.org
>>>>
>>>> Note that this is a self-signed certificate, and so when you first
>>>> access it
>>>> you'll get a dire warning from your browser.
>>>
>>> Why can't free startssl certificate be used?
>>
>> I never heard of it.
>
> Neither have I...
> I know there is www.cacert.org but as far as I know their certs are still not integrated in the browser SSL store.

Just going to throw this out there, but GlobalSign offers free
wildcard certificates to open source projects. GlobalSign's root
is in the standard CA stores. Might be worth checking out.
https://www.globalsign.com/ssl/ssl-open-source/

Disclaimer: I am a GlobalSign reseller, but I have nothing to
gain from their free certificate offers.

Brad Anderson, el 21 de February a las 21:39 me escribiste:
> On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:
> >On 2/21/2014 12:57 PM, Brad Anderson wrote:
> >>For $59.90 Walter could get a class 2 organization verification
> >>for Digital Mars
> >>and do code signing so we can get rid of that scary message when
> >>people run the
> >>installer. We use StartSSL for our code signing and website SSL
> >>and are happy
> >>with it.
> >
> >Would that work for all the websites? I.e. digitalmars.com, dlang.org, etc., or would it be a separate charge for each?
> 
> The one cost and you could cover everything. StartSSL is novel in that all they do is verify your identity then let you generate as many certificates as you want. Most other CAs charge on a per certificate basis. I'm pretty happy with StartSSL apart from their terrible website.

I use the free certificates and it works very nicely!

-- 
Leandro Lucarella (AKA luca)                     http://llucax.com.ar/
----------------------------------------------------------------------
No existe nada más intenso que un reloj, ni nada más flaco que una
bicicleta. No intenso como el café, ni flaco como escopeta.
	-- Ricardo Vaporeso

Nick Sabalausky, el 21 de February a las 16:47 me escribiste:
> On 2/21/2014 4:39 PM, Brad Anderson wrote:
> >On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:
> >>
> >>Would that work for all the websites? I.e. digitalmars.com, dlang.org, etc., or would it be a separate charge for each?
> >
> >The one cost and you could cover everything. StartSSL is novel in that all they do is verify your identity then let you generate as many certificates as you want. Most other CAs charge on a per certificate basis. I'm pretty happy with StartSSL apart from their terrible website.
> 
> This is true (I do it on my server, hosting a couple domains ATM).
> 
> However, unless they've changed it since I last looked, you can't do subdomains (other than www.*) with their free cert.

No, you can use any subdomain, you can't use wildcards, but you can get as many subdomains as you want. To use several subdomains in one server, your server must support SNI[1], but any modern webserver should support it.

[1] https://en.wikipedia.org/wiki/Server_Name_Indication

-- 
Leandro Lucarella (AKA luca)                     http://llucax.com.ar/
----------------------------------------------------------------------
De las generaciones venideras espero, nada más, que vengan.
	-- Ricardo Vaporeso

On 2/22/2014 12:09 AM, Leandro Lucarella wrote:
> Nick Sabalausky, el 21 de February a las 16:47 me escribiste:
>> On 2/21/2014 4:39 PM, Brad Anderson wrote:
>>> On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:
>>>>
>>>> Would that work for all the websites? I.e. digitalmars.com, dlang.org,
>>>> etc., or would it be a separate charge for each?
>>>
>>> The one cost and you could cover everything. StartSSL is novel in that
>>> all they do is verify your identity then let you generate as many
>>> certificates as you want. Most other CAs charge on a per certificate
>>> basis. I'm pretty happy with StartSSL apart from their terrible website.
>>
>> This is true (I do it on my server, hosting a couple domains ATM).
>>
>> However, unless they've changed it since I last looked, you can't do
>> subdomains (other than www.*) with their free cert.
>
> No, you can use any subdomain, you can't use wildcards, but you can get
> as many subdomains as you want. To use several subdomains in one server,
> your server must support SNI[1], but any modern webserver should support
> it.
>
> [1] https://en.wikipedia.org/wiki/Server_Name_Indication
>

I've tried to get a subdomain cert from them, but their system complained that I already had a cert from them for the same domain.

On 2/22/2014 1:39 AM, Nick Sabalausky wrote:
> On 2/22/2014 12:09 AM, Leandro Lucarella wrote:
>> Nick Sabalausky, el 21 de February a las 16:47 me escribiste:
>>> On 2/21/2014 4:39 PM, Brad Anderson wrote:
>>>> On Friday, 21 February 2014 at 21:37:39 UTC, Walter Bright wrote:
>>>>>
>>>>> Would that work for all the websites? I.e. digitalmars.com, dlang.org,
>>>>> etc., or would it be a separate charge for each?
>>>>
>>>> The one cost and you could cover everything. StartSSL is novel in that
>>>> all they do is verify your identity then let you generate as many
>>>> certificates as you want. Most other CAs charge on a per certificate
>>>> basis. I'm pretty happy with StartSSL apart from their terrible
>>>> website.
>>>
>>> This is true (I do it on my server, hosting a couple domains ATM).
>>>
>>> However, unless they've changed it since I last looked, you can't do
>>> subdomains (other than www.*) with their free cert.
>>
>> No, you can use any subdomain, you can't use wildcards, but you can get
>> as many subdomains as you want. To use several subdomains in one server,
>> your server must support SNI[1], but any modern webserver should support
>> it.
>>
>> [1] https://en.wikipedia.org/wiki/Server_Name_Indication
>>
>
> I've tried to get a subdomain cert from them, but their system
> complained that I already had a cert from them for the same domain.
>

SNI *is* necessary, of course, to host multiple SSL-certs on the same server (regardless of whetheer they're separate subdomains or suparate regular domains), but I already have my server doing that (one cert for each of two different domains).

On 2/21/2014 5:50 PM, Brad Anderson wrote:
> On Friday, 21 February 2014 at 21:50:21 UTC, Nick Sabalausky wrote:
>> On 2/21/2014 3:57 PM, Brad Anderson wrote:
>>>
>>> For $59.90 Walter could get a class 2 organization verification for
>>> Digital Mars and do code signing so we can get rid of that scary message
>>> when people run the installer. We use StartSSL for our code signing and
>>> website SSL and are happy with it.
>>
>> I think it's pretty much standard practice in the Windows world to
>> ignore that warning. I've seen very little software that does bother
>> with that code signing.
>
> I think it's ignored by users like you and I but at my work we'd get
> worried calls from our customers thinking our installer was unsafe so we
> ended up adding code signing.

Perhaps so. Although FWIW, there's also a *lot* of average-joe users (I personally know far too many) who flat-out *refuse* to read any word that ever appears on their screen. These retards^H^H^H^H^H^H^Hpeople^H^H^H^H^H^Hworthless wastes of carbon view "words" as things to be immediately shoo'ed away in a frenzy of mindless clicking and "How do I make this go away?!?!?" (Me: "Uhh, make what...well What does it say?" The Retard: "I dunno. I didn't read it." "[silently:]FFFUUUUCCCKKKKK YOOOOOOOUUUUUUU!!!!!!!!").

To be perfectly honest I actually *am* genuinely surprised to hear of the existence of retards who actually *do* read words on screens. Sounds almost like a paradise of geniuses compared to the bullshit I've always had to put up with.

On Saturday, 22 February 2014 at 06:59:00 UTC, Nick Sabalausky wrote:
> Perhaps so. Although FWIW, there's also a *lot* of average-joe users (I personally know far too many) who flat-out *refuse* to read any word that ever appears on their screen. These retards^H^H^H^H^H^H^Hpeople^H^H^H^H^H^Hworthless wastes of carbon view "words" as things to be immediately shoo'ed away in a frenzy of mindless clicking and "How do I make this go away?!?!?" (Me: "Uhh, make what...well What does it say?" The Retard: "I dunno. I didn't read it." "[silently:]FFFUUUUCCCKKKKK YOOOOOOOUUUUUUU!!!!!!!!").
>
> To be perfectly honest I actually *am* genuinely surprised to hear of the existence of retards who actually *do* read words on screens. Sounds almost like a paradise of geniuses compared to the bullshit I've always had to put up with.

And this is where if you're doing IT support, you add a nice little clause which requires them to read, and tell you any message they get. If they don't, well there won't be any stress on your end ;)

22-Feb-2014 01:54, Nick Sabalausky пишет:
> On 2/21/2014 3:55 PM, deadalnix wrote:
>> On Friday, 21 February 2014 at 20:35:12 UTC, Dicebot wrote:
>>> On Friday, 21 February 2014 at 20:34:12 UTC, Walter Bright wrote:
>>>> dlang.org and dconf.org now support https,
>>>>
>>>> https://dlang.org
>>>> https://dconf.org
>>>>
>>>> Note that this is a self-signed certificate, and so when you first
>>>> access it you'll get a dire warning from your browser.
>>>
>>> Why can't free startssl certificate be used?
>>
>> The whole certification principle is about how much you trust who sign
>> the certificate. I trust digital mas much more than startssl.
>
> Self-signed certs *can't* be trusted to be from the party they claim to
> be from. Anyone can generate a self-signed cert claiming to be Digital
> Mars.
>
This. And since the site isn't dynamic and doesn't transmit private data the advantage of self-signed cert is highly dubious ;)

-- 
Dmitry Olshansky

On 2/22/2014 12:43 AM, Dmitry Olshansky wrote:
> This. And since the site isn't dynamic and doesn't transmit private data the
> advantage of self-signed cert is highly dubious ;)

There isn't any private data on the site, it's just getting on the "https everywhere" bandwagon.

22-Feb-2014 13:12, Walter Bright пишет:
> On 2/22/2014 12:43 AM, Dmitry Olshansky wrote:
>> This. And since the site isn't dynamic and doesn't transmit private
>> data the
>> advantage of self-signed cert is highly dubious ;)
>
> There isn't any private data on the site, it's just getting on the
> "https everywhere" bandwagon.
>

Yes, and then you get nothing useful - self-signed certificate doesn't prove the authenticity of your website.

Hence it's both useless and potentially harmful due to browser barking on the self-signed crap and scaring our users away.

Either get a CA-signed cert or we are much better off with plain HTTP.

-- 
Dmitry Olshansky