https everywhere update - dlang.org gets an "A" now!

On 11/24/2015 10:59 AM, David Nadlinger wrote: > On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote: >> I'm pleased to announce that Jan Knepper has gotten us some proper >> certificates now, and dlang.org and digitalmars.com are now fully https! > > There are a number of issues with how SSL is set up on the server, from > misconfiguration and/or outdated software: > https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on > > Compare this e.g. to issues.dlang.org, which achieves a solid A grade (although > it uses a SHA-1 intermediary certificate, which will lead to issues soon): > https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org&hideResults=on > > — David https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote: > https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on > > Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts. Nice work by Jan. I know how big of a hassle things like this can be so taking the time to actually do it is much appreciated. On a related note, Let's Encrypt hit public beta today[1]. With that I think we should be able to get all of the official infrastructure on TLS now. It's unfortunate it didn't come a bit sooner because now the NSA knows I read the entire DUB JSON thread, much to my shame. 1. https://letsencrypt.org/2015/12/03/entering-public-beta.html

December 03, 2015

Re: https everywhere update - dlang.org gets an "A" now!

Posted by Brad Roberts
in reply to Brad Anderson

Permalink

Brad Roberts

Posted in reply to Brad Anderson

Permalink

On 12/3/15 5:38 PM, Brad Anderson via Digitalmars-d-announce wrote:
> On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote:
>> https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on
>>
>> Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.
>
> Nice work by Jan. I know how big of a hassle things like this can be so taking the time to actually
> do it is much appreciated.
>
> On a related note, Let's Encrypt hit public beta today[1]. With that I think we should be able to
> get all of the official infrastructure on TLS now. It's unfortunate it didn't come a bit sooner
> because now the NSA knows I read the entire DUB JSON thread, much to my shame.
>
> 1. https://letsencrypt.org/2015/12/03/entering-public-beta.html

I'm glad that letsencrypt is out there doing the publicity, but getting and using ssl certs has been free via startssl for several years now.  What this new group is doing is the PR and marketing to get people to do it, of course under their own umbrella rather than another company's.

- Brad

On Friday, 4 December 2015 at 02:29:52 UTC, Brad Roberts wrote: > I'm glad that letsencrypt is out there doing the publicity, but getting and using ssl certs has been free via startssl for several years now. What this new group is doing is the PR and marketing to get people to do it, of course under their own umbrella rather than another company's. The free StartSSL thing was also nigh-unusable – when I gave it a try, their in-browser CSR gen thing broke on whatever recent version of Firefox I was using, which left me with no cert, but them claiming I had exhausted their offer. They also have this weird thing where they offer "one host name plus domain" only, and charge users for revoking their cert (!). — David

On 12/3/2015 6:55 PM, David Nadlinger via Digitalmars-d-announce wrote: > On Friday, 4 December 2015 at 02:29:52 UTC, Brad Roberts wrote: >> I'm glad that letsencrypt is out there doing the publicity, but >> getting and using ssl certs has been free via startssl for several >> years now. What this new group is doing is the PR and marketing to >> get people to do it, of course under their own umbrella rather than >> another company's. > > The free StartSSL thing was also nigh-unusable – when I gave it a try, > their in-browser CSR gen thing broke on whatever recent version of > Firefox I was using, which left me with no cert, but them claiming I had > exhausted their offer. They also have this weird thing where they offer > "one host name plus domain" only, and charge users for revoking their > cert (!). > > — David Interesting.. I've never had any problems, though I've never needed to revoke a cert.

On 2015-12-04 02:38, Brad Anderson wrote: > It's unfortunate it didn't come a bit sooner because now the NSA > knows I read the entire DUB JSON thread, much to my shame. You can expect a bill for "Wasting Time" in the mail anytime soon now :) -- /Jacob Carlborg

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote: > On 11/24/2015 10:59 AM, David Nadlinger wrote: > > On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright > wrote: > >> [...] > proper > >> [...] > fully https! > > > > There are a number of issues with how SSL is set up on the > server, from > > misconfiguration and/or outdated software: > > > https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on > > > > Compare this e.g. to issues.dlang.org, which achieves a solid > A grade (although > > it uses a SHA-1 intermediary certificate, which will lead to > issues soon): > > > https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org&hideResults=on > > > > — David > > https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on > > Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts. This is great. Can the certificate also be used for forum.dlang.org? I get a warning when I visit https://forum.dlang.org

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote: > Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts. This is what I get when I try: https://www.dlang.org/ "Your connection is not private Attackers might be trying to steal your information from www.dlang.org (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID" Matheus.

Forums