Message: previous - next
Month: February 2017

Re: [trinity-devel] Trinity SSL Certificates

From: Calvin Morrison <mutantturkey@...>
Date: Thu, 16 Feb 2017 20:21:32 -0500
Consider it done.


On 16 February 2017 at 14:45, Timothy Pearson
<kb9vqf@...> wrote:
> Hash: SHA224
> As some of you may already be aware, StartCom (a major provider of SSL
> certificates) has repeatedly and intentionally violated the basic rules to
> be listed as a root CA in most browsers [1] [2].  Unfortunately, TDE used
> StartCom as its root CA provider in an attempt to lower overall costs; as
> a result, the main TDE pages, QuickBuild, and other related services will
> no longer be accessible to the majority of Web clients.
> We do not have the funds to replace the certificate with a costlier option
> at this time.  LetsEncrypt does not appear to be secure enough as it
> effectively requires automated certificate installation on the master
> servers, and furthermore I expect it to be removed from as a fully trusted
> root CA or at least demoted in some way in the future [3].
> Due to the industry-standard security in use, we cannot simply disable
> HTTPS without disabling access to all TDE sites previously using HTTPS.
> Furthermore, disabling HTTPS would open TDE users adn visitors to
> malicious MITM attack, and I am not willing to do this.
> Our only options come down to either accepting the heavy loss in visitors
> / traffic that will come from using a self-signed certificate, or
> attempting to raise the funds required to purchase a new certificate.  It
> should only cost around $200 to obtain a new multi-year certificate
> covering TDE, so if you can please contribute something toward this goal
> via our donations page [4].
> Again, I apologize for the inconvenience; it is not common for a CA to be
> delisted and the impact from this has been felt across many sites.
> Unfortunately, it will only continue to worsen as Chrome (with its 75%
> market share) is updated by end users over the next few days / weeks.
> Thank you!
> [1]
> [2]
> [3]
> [4]
> Version: GnuPG v1.4.11 (GNU/Linux)
> C20FUSd8bT7Y7wDdGKueJfay8/HacDBlPw+u2WItBSpRs3geLoPLSw==
> =RdsZ
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: trinity-devel-unsubscribe@...
> For additional commands, e-mail: trinity-devel-help@...
> Read list messages on the web archive:
> Please remember not to top-post: