Re: Forced HTTPS on web site

[Alexander Kriegisch <kriegaex freetz org>]

Andrew Savchenko, 09.03.2012 15:51:
> On Fri, 09 Mar 2012 15:31:53 +0100 Alexander Kriegisch wrote:
>> Maybe
>> it would be a good idea to either use a commercial certificate or, if
>> that is too expensive, continue using the self-signed one, but only to
>> log in and after you are logged in.
> 
> Commercial certificate is not necessary

I agree, but only if it is a matter of money.

> CACert certificates are
> acknowledged by any sane browser and may be obtained for free after
> registration.

They are not much more secure than a self-signed cert, but definitely
better than nothing.

> Self-signed certificate is inappropriate solution anyway, because it
> provides no real security (forged server may use its own self-signed
> certificate) and will be rejected by most check patterns.

True, but for a small circle of developers who can directly compare the
fingerprint I guess it is okay, no need to be over-paranoid there.

>> Me personally, I know how to import a cert, but this knowledge should
>> not be necessary to access your web site without being annoyed by the
>> warning all the time
> 
> Users who are not able to install a certificate, should learn how to
> do so. Really, I was always amused why one needs a license to drive a
> car and no license to use a computer, though computers are more
> complex and sophisticated than cars even considering onboard
> electronics on modern cars.

I guess this snobistic attitude is wrong. Users are clients, and you
should make life easier for them, not harder. Even to me, being a
computer scientist, it is a pain in the ass to manually import a cert
just because I want to *read* (not even edit) a web site. It is ridiculous.
--
Alexander Kriegisch (kriegaex)
http://freetz.org