Project

General

Profile

CAcert issued certificate for Redmine

Added by P. Kasita almost 10 years ago

Currently CAcert root CA is not included in major browsers/OSes. http://wiki.cacert.org/InclusionStatus
This gives scary warnings when accessing Redmine. CAcert is everything for being free as in freedom and free energy, but users do not care, sadly.
I can donate to the project $10 every year for a certificate from http://www.ssls.com/ or any other domain validation certificate vendor with a similar price tag. And after you change domain I will donate again and again. But please, do not use TLD controlled/influenced by NSA, MSS, FSB or any other three letter agency or dependent country.
If you really care about the MITM attacks imposed by NSA if the commercial CA is cooperating (by issuing a new certificate with their own key), then you can setup a second domain which will look like https://redmine-cac.replicant.us/ and use that with CaCert issued certificate. On https://redmine.replicant.us/ you can post a red big warning that HTTPS is protected by a commercial TLS/SSL certificate and an instruction on how to install CAcert root certificate into the browser/OS.

Where do I send donations for this specific goal?


Replies (7)

RE: CAcert issued certificate for Redmine - Added by Paul Kocialkowski over 9 years ago

This gives scary warnings when accessing Redmine. CAcert is everything for being free as in freedom and free energy, but users do not care, sadly.

That's not that big a deal -- I expect that most people interested in free software and Replicant will not mind having to accept the CAcert certificates and it is also just a warning, not a fatal error. On top of that, most GNU/Linux distributions provide easy and convenient ways to install the CAcert root certificate.

It seems to make that what CaCert is doing makes sense and having seen their identity verification procedures, I would call it reliable for what we're doing here. I definitely do not wish to spend money on a 3rd party SSL certification authority, which might be subject to being tapped by the NSA, even if you want to donate money on that in particular.

Maybe if many people start complaining about it, I'll review my decision, but CAcert seems good enough for now -- at least it's better than self-signed.

RE: CAcert issued certificate for Redmine - Added by P. Kasita over 9 years ago

it is also just a warning, not a fatal error.

In all modern browsers, this looks and behaves as a fatal error which is a good thing as it alerts for MITM attacks in a very obtrusive way. If the CAcert root CA is not already in a user's root CA store, a user has to know what she is doing. Most of them do not.

most GNU/Linux distributions provide easy and convenient ways to install the CAcert root certificate

Many distributions do not ship CAcert or ship it as disabled. Neither Windows, nor Mac OS X ship it. Even Debian does not. So easy is as easy as installing any other CA in root store. When installing CAcert root certificate I need to make a "leap of faith" because there are no way to authenticate the certificate itself. HTTPS on cacert.org is protected by CAcert root .

having seen their identity verification procedures, I would call it reliable

They are almost exactly the same. Automated DNS check and automated designated email check. Nothing more to get an anon certificate. From user's standpoint it does not differ from any other better verified type issued by CAcert.

which might be subject to being tapped by the NSA

CAcert can be tapped in the same way. CAcert Inc is an Australian corporation. Australia is a member of Five Eyes.

Maybe if many people start complaining about it

People do not complain because when they see the wall of "invalid" certificate, they just go away.

My point is that PKI in current form is broken. Any CA in my list of root CAs can issue certificate for any domain. There is a high probability that many of them are actively cooperating with 3 letter agencies of their home countries. You will not notice that the certificate has changed unless you use something like Certificate Patrol for Firefox (I do) or use (privacy leaking in default config) Google Chrome with enabled check for certificate which is not known to Google crawlers. In the first case, I still need to make a "leap of faith" when storing certificate for later checks (issued by legitimate CA from the point of view of my root store). In the second case, you have to rely on Google and tell them about every HTTPS site you visit. And Google is an US company.

Please do not erect a "wall of competence" for your users unless you want only already competent users. Educate.

RE: CAcert issued certificate for Redmine - Added by P. Kasita over 9 years ago

I am observing a new wildcard certificate for replicant.us. It is a Class 3 from CAcert. The old one was expiring, anyway.
I am assuming that your decision was to continue to use CAcert. Too sad.

RE: CAcert issued certificate for Redmine - Added by Paul Kocialkowski over 9 years ago

I am assuming that your decision was to continue to use CAcert. Too sad.

Why is this really a problem? If it's just about the warning, it wouldn't be the first time we have to go one extra step for a free project. It seems like CaCert is a good thing and makes sense for a free software project like Replicant. It is slightly less convenient, but that's very often the case.

RE: CAcert issued certificate for Redmine - Added by P. Kasita over 9 years ago

Why is this really a problem?

IMHO, you do not want non-technically savvy users. If a user wants to report problems in Replicant she will be fended off with CAcert scarewall in modern browsers.

RE: CAcert issued certificate for Redmine - Added by Paul Kocialkowski over 9 years ago

I didn't have any such report so far. I may change my mind if people actually start complaining about this, but in the meantime, I'll go with the assumption that it's not a problem for visitors to accept the CaCert certificate.

RE: CAcert issued certificate for Redmine - Added by P. Kasita over 9 years ago

I didn't have any such report so far

That is a chicken and egg problem. In order to report a problem you have to install a CAcert certificate. If you installed it to go to Replicant Redmine, you do not have any longer any incentive to complain about CAcert, unless you are concerned about other users convenience. OK, your project, your wisdom to make decisions. I have no other arguments. Peace.

    (1-7/7)