https
category: general [glöplog]
what chrome ist able to save selfsigned certs? its clearly a CA business conspiracy.
*NOT able
skomp: if it's a proper cert then https can be default, but if it's self-signed it can be a real pain to get the certificate stored and trusted, in that case i think it should definitely not be default.
Chrome uses whatever the native platform uses for certificate management it seems. You can import a certificate into Windows by exporting it from the certificate inspection dialog.
(click on the lock next to the URL > Certificate Information > Details > Copy to File > Next > Choose .P7B and Include all certificates in certification path if possible > Next > Browse > Save certificate > Next > Finish > OK > OK. Open the exported certificate > Install certificate > Next > Place all certificates in following store > Browse > Trusted Root Certification Authorities > OK > Next > Finish > OK > OK)
Heh, ok, that's pretty horrible. Perhaps a CA issued certificate really is the way to go. :)
Is there anything I (or anyone) can do to help in that regard?
(click on the lock next to the URL > Certificate Information > Details > Copy to File > Next > Choose .P7B and Include all certificates in certification path if possible > Next > Browse > Save certificate > Next > Finish > OK > OK. Open the exported certificate > Install certificate > Next > Place all certificates in following store > Browse > Trusted Root Certification Authorities > OK > Next > Finish > OK > OK)
Heh, ok, that's pretty horrible. Perhaps a CA issued certificate really is the way to go. :)
Is there anything I (or anyone) can do to help in that regard?
HEY!
didnt we try to get more (young) sceners onboard of the demoscene lately? (well, if 6 years are to be called lately that is!)
Now you want someone to "install" some Cert first, so he can access pouet?
What about download-links from other pages like youtube-videos etc? All the Youtubes say: "Watching VideoRips causes Cancer, watch the Realtime-Version instead, get it here: www.pouet.net/fuckyourselfGetACertifiateFirst" ???
really:
Anyone ever having had issues due to pouet not being certified please stand up and say "WHORE-HO!"
Fuck HTTPS, pouet does NOT need it!
didnt we try to get more (young) sceners onboard of the demoscene lately? (well, if 6 years are to be called lately that is!)
Now you want someone to "install" some Cert first, so he can access pouet?
What about download-links from other pages like youtube-videos etc? All the Youtubes say: "Watching VideoRips causes Cancer, watch the Realtime-Version instead, get it here: www.pouet.net/fuckyourselfGetACertifiateFirst" ???
really:
Anyone ever having had issues due to pouet not being certified please stand up and say "WHORE-HO!"
Fuck HTTPS, pouet does NOT need it!
you don't really understand how https works
ruairi:
oretty horrible is all what remained in my brain after having dealt with Certs for something at Work...
...so why the fuck do we want to fuck ourselves with sth "horrible" ?
also theres more than just .P7Bs , its a really horrible way of trying to make anything secure that ain´t at all, every coder knows how to "workaround" these Certs once he coded some usage of them ;)
Certificates are only Moneymakers to them who cant code, MoneyLessers to them who think they need it to hide sth, showing off they got sth to hide to them that can hack them easily! ;)
My very first post in this Thread may have sounded like a Troll, but believe me, giving away just the Public Key, keeping the Private Key is just a Theory in the End, altho there are many implementations and usages of it, partly working! ;)
Please dont introduce this worthless thing to pouet, EOT.
oretty horrible is all what remained in my brain after having dealt with Certs for something at Work...
...so why the fuck do we want to fuck ourselves with sth "horrible" ?
also theres more than just .P7Bs , its a really horrible way of trying to make anything secure that ain´t at all, every coder knows how to "workaround" these Certs once he coded some usage of them ;)
Certificates are only Moneymakers to them who cant code, MoneyLessers to them who think they need it to hide sth, showing off they got sth to hide to them that can hack them easily! ;)
My very first post in this Thread may have sounded like a Troll, but believe me, giving away just the Public Key, keeping the Private Key is just a Theory in the End, altho there are many implementations and usages of it, partly working! ;)
Please dont introduce this worthless thing to pouet, EOT.
Hardy: I think you're fundamentally misunderstanding a lot of things here.
Do you use online banking or any online shop? Did you notice that when you enter your credit card details that the site (should) be connected via HTTPS? Look in the URL bar for a padlock icon. Did you notice all the certificate exchanging was done automatically without any intervention?
That's pretty much what I'm suggesting for Pouet, so user credentials aren't exposed on the journey from your computer to the server, be it from packet sniffing (for passwords) or nefarious ISPs performing analytics or modifying traffic, which absolutely happens.
So, it'd be pretty nice to have that layer of protection, especially considering how ubiquitous shared network connections are.
Regarding self-signed certificates, if you choose to create your own certificate which isn't on the chain of a trusted root authority (like Verisign), all web browsers will throw a big warning up to say that the identity of the server cannot be confirmed but the connection will be encrypted.
Purchasing a certificate from a trusted authority doesn't cost a huge amount and places the responsibility of confirming the server identity on the company issuing the certificate, and has the added benefit of being transparent to the person browsing the site.
HTTPS is about confirming the computer your computer is who they say they are and encrypting the connection between you and the server to prevent modification and eavesdropping.
Also, I'm not mandating that Pouet uses HTTPS - although that would be cool (I wonder if there might be any issues with obscure platforms browsing though) - I just think it'd be a good thing to have.
I assume you've interpreted my suggestion as being that Pouet should mandate using a self-signed certificate before allowing anyone to browse the site. No, absolutely not! But having the option to would be nice for those who are interested and understand exactly what that entails.
Do you use online banking or any online shop? Did you notice that when you enter your credit card details that the site (should) be connected via HTTPS? Look in the URL bar for a padlock icon. Did you notice all the certificate exchanging was done automatically without any intervention?
That's pretty much what I'm suggesting for Pouet, so user credentials aren't exposed on the journey from your computer to the server, be it from packet sniffing (for passwords) or nefarious ISPs performing analytics or modifying traffic, which absolutely happens.
So, it'd be pretty nice to have that layer of protection, especially considering how ubiquitous shared network connections are.
Regarding self-signed certificates, if you choose to create your own certificate which isn't on the chain of a trusted root authority (like Verisign), all web browsers will throw a big warning up to say that the identity of the server cannot be confirmed but the connection will be encrypted.
Purchasing a certificate from a trusted authority doesn't cost a huge amount and places the responsibility of confirming the server identity on the company issuing the certificate, and has the added benefit of being transparent to the person browsing the site.
HTTPS is about confirming the computer your computer is who they say they are and encrypting the connection between you and the server to prevent modification and eavesdropping.
Also, I'm not mandating that Pouet uses HTTPS - although that would be cool (I wonder if there might be any issues with obscure platforms browsing though) - I just think it'd be a good thing to have.
I assume you've interpreted my suggestion as being that Pouet should mandate using a self-signed certificate before allowing anyone to browse the site. No, absolutely not! But having the option to would be nice for those who are interested and understand exactly what that entails.
Hardy: I think you're fundamentally misunderstanding a lot of things here.
Do you use online banking or any online shop? Did you notice that when you enter your credit card details that the site (should) be connected via HTTPS? Look in the URL bar for a padlock icon. Did you notice all the certificate exchanging was done automatically without any intervention?
That's pretty much what I'm suggesting for Pouet, so user credentials aren't exposed on the journey from your computer to the server, be it from packet sniffing (for passwords) or nefarious ISPs performing analytics or modifying traffic, which absolutely happens.
So, it'd be pretty nice to have that layer of protection, especially considering how ubiquitous shared network connections are.
Regarding self-signed certificates, if you choose to create your own certificate which isn't on the chain of a trusted root authority (like Verisign), all web browsers will throw a big warning up to say that the identity of the server cannot be confirmed but the connection will be encrypted.
Purchasing a certificate from a trusted authority doesn't cost a huge amount and places the responsibility of confirming the server identity on the company issuing the certificate, and has the add
Do you use online banking or any online shop? Did you notice that when you enter your credit card details that the site (should) be connected via HTTPS? Look in the URL bar for a padlock icon. Did you notice all the certificate exchanging was done automatically without any intervention?
That's pretty much what I'm suggesting for Pouet, so user credentials aren't exposed on the journey from your computer to the server, be it from packet sniffing (for passwords) or nefarious ISPs performing analytics or modifying traffic, which absolutely happens.
So, it'd be pretty nice to have that layer of protection, especially considering how ubiquitous shared network connections are.
Regarding self-signed certificates, if you choose to create your own certificate which isn't on the chain of a trusted root authority (like Verisign), all web browsers will throw a big warning up to say that the identity of the server cannot be confirmed but the connection will be encrypted.
Purchasing a certificate from a trusted authority doesn't cost a huge amount and places the responsibility of confirming the server identity on the company issuing the certificate, and has the add
Hardy: I think you're fundamentally misunderstanding a lot of things here.
Do you use online banking or any online shop? Did you notice that when you enter your credit card details that the site (should) be connected via HTTPS? Look in the URL bar for a padlock icon. Did you notice all the certificate exchanging was done automatically without any intervention?
That's pretty much what I'm suggesting for Pouet, so user credentials aren't exposed on the journey from your computer to the server, be it from packet sniffing (for passwords) or nefarious ISPs performing analytics or modifying traffic, which absolutely happens.
So, it'd be pretty nice to have that layer of protection, especially considering how ubiquitous shared network connections are.
Regarding self-signed certificates, if you choose to create your own certificate which isn't on the chain of a trusted root authority (like Verisign), all web browsers will throw a big warning up to say that the identity of the server cannot be confirmed but the connection will be encrypted.
Purchasing a certificate from a trusted authority doesn't cost a huge amount and places the responsibility of confirming the server identity on the company issuing the certificate, and has the add
Do you use online banking or any online shop? Did you notice that when you enter your credit card details that the site (should) be connected via HTTPS? Look in the URL bar for a padlock icon. Did you notice all the certificate exchanging was done automatically without any intervention?
That's pretty much what I'm suggesting for Pouet, so user credentials aren't exposed on the journey from your computer to the server, be it from packet sniffing (for passwords) or nefarious ISPs performing analytics or modifying traffic, which absolutely happens.
So, it'd be pretty nice to have that layer of protection, especially considering how ubiquitous shared network connections are.
Regarding self-signed certificates, if you choose to create your own certificate which isn't on the chain of a trusted root authority (like Verisign), all web browsers will throw a big warning up to say that the identity of the server cannot be confirmed but the connection will be encrypted.
Purchasing a certificate from a trusted authority doesn't cost a huge amount and places the responsibility of confirming the server identity on the company issuing the certificate, and has the add
Apologies for the triple post - not sure what went on there, WiFi is a bit flakey here!
Maybe your neighbours stole your login credentials and reposted that text?
lol.
Yeah, saying that "we shouldn't have https because skilled coders could circumvent it" is a kind of weak argument imho. Some level of security is better than no security and anything that messes with dataloggers heads, even if only for 5 minutes, is worth doing. Aspiring h4xX0r5 and chaoswreckers will also have to apply themselves.
Get scene.org create a CA root certificate and have sceners install it on their computers. That way you can issue certificates for free and have a "trusted" authority issuing them.
Would not be a lot of hassle, really, except for maybe having all sceners importing the CA certificate... but then those who believe that's a hassle can go without https.
Would not be a lot of hassle, really, except for maybe having all sceners importing the CA certificate... but then those who believe that's a hassle can go without https.
Jcl: and then someone compromises scene.org and mitms the hell out of nearest demoparty.
I think if scene.org gets compromised, a compromised root certificate would be one of their smallest issues.
Anyway anyway I shouldn't have mentioned self-signed certificates - we should really be talking about a proper CA issued one, yeah.
Let's see if we hear anything from gargaj / Redhound.
HTTPS is really not a big deal.
Let's see if we hear anything from gargaj / Redhound.
HTTPS is really not a big deal.
what on EARTH is on pouet that requires security?
other than erotic pictures of ruairi's one night stands with daleks.
other than erotic pictures of ruairi's one night stands with daleks.
exactly, I don't get why the fuck does pouet require ssl...
as said, if i had to choose, i would choose to visit ALL sites on the web over an encrypted connection if they offered one. at least the login data should be encrypted. sniffing it from an internet logon at star bucks or any other public place is just too easy.
Quote:
what on EARTH is on pouet that requires security?
Quote:
exactly, I don't get why the fuck does pouet require ssl...
I've explained this a number of times now - it's a good practice for any web service that authenticates a user to do so over https so stealing of credentials via eavesdropping is mitigated as well as contents being modified in either or both directions through transit. Verification of the pouet server identity is just another bonus which may not be totally relevant to this site but is nonetheless a nice thing to have.
Of course I understand that all content on pouet is public - but this particular suggestion DOES NOT CONCERN THAT. It is about providing SECURITY to users of the site, which will probably be optional anyway.
Get a clue or STFU.
maali, g. - is there EVER a situation where it's fine to send a username and password in plain text over a public network?
well...pouet and 100,000 other low-profile websites that require simple user login?
psonice: agreed, yet who the hell would bother impersonate another user on pouet in a way that becomes serious matter? :)