Re: Community accounts and SSL - Mailing list pgsql-www

From Magnus Hagander
Subject Re: Community accounts and SSL
Date
Msg-id 1205359228.5803.18.camel@mha-laptop.clients.sollentuna.se
Whole thread Raw
In response to Re: Community accounts and SSL  ("Joshua D. Drake" <jd@commandprompt.com>)
Responses Re: Community accounts and SSL
List pgsql-www
On Wed, 2008-03-12 at 14:33 -0700, Joshua D. Drake wrote:
> On Wed, 12 Mar 2008 17:25:11 -0400
> Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> > "Joshua D. Drake" <jd@commandprompt.com> writes:
> > > That is certainly one way, but do we really need that? Isn't a self
> > > signed cert good enough?
> > 
> > Self-signed certs on a public-facing website scream of amateurism.
> > Every time someone visits the site, their browser will complain
> > about it, and quite rightly.
> 
> Well that isn't true. It asks once and that's it. I will admit
> though that FF3 certainly makes it abundantly clear that it doesn't like
> it that first time. As far as the amateurism, opinion vary :).

It does not. If you click the proper button in your browser, it doesn't
even let you in. If you click the second-least-improper one, it will
complain every time. Only if you pick the one option you're really not
supposed to pick, does it only complain once.

I dunno aobut other browsers, but in firefox the "bitch again next
session" is the default, and in modern IE versions, not letting you in
at all is the default.

Using a self-signed certificate is only secure if you somehow distribute
the self-signed certificate to all clients but a different, secure,
path.


> > If you wanna do this, you need to pony up some cash to Verisign or
> > one of the other recognized CAs.
> 
> Well like I said, we can do that. If that is the way the community
> wants to go. A 5 year wildcard cert which could be used across all
> subdomains is about 500.00.

Wildcard cert might be an option. I don't recall which browsers they are
supported these days. It's also a potential security issue - we can't
use them on something like a shared host somewhere. Perhaps one, or when
we get more requirements a couple, of regular certificates is a better
way to go?

The free option is to use CACert. It's not included by default in any
browser (I think - maybe some really new one has it), but it does have
an actual statement of trust along with it.

//Magnus


pgsql-www by date:

Previous
From: "Dave Page"
Date:
Subject: Re: PostgreSQL user documentation wiki open for business
Next
From: Magnus Hagander
Date:
Subject: Re: Community accounts