llvm dev - Feb 2017 - Bugzilla invalid certificate issues

Letsencrypt only offers domain validation certs. I think an EV cert would be
more appropriate for llvm.org.

On February 10, 2017 at 2:45:22 PM, James Y Knight via llvm-dev (llvm-dev at
lists.llvm.org) wrote:

+1. Chrome been warning about the certificate for a year or so now, with
steadily increasing severity. Would've been nice to fix it back then.

But, now, it's basically an emergency...the warning has made the https parts
of the site effectively inaccessible to normal users running Chrome.

A couple people have mentioned that llvm.org was "not working" to me
recently. And, I hadn't upgraded Chrome yet, so I didn't understand what
they were saying at the time. But, now I have: the full page blocking warning
basically makes the site appear inaccessible, unless you're looking very
closely.

Is there some difficulty with buying a new certificate?

Switching to letsencrypt would be best, and free, of course, but that takes a
little more infrastructure work to set up, and I'd understand if maybe
nobody's had the time to do that yet. Which is fine -- but in the meantime,
can someone just pay for a new certificate from any of the standard CAs?



On Fri, Feb 10, 2017 at 4:28 PM, Eric Fiselier via llvm-dev <llvm-dev at
lists.llvm.org> wrote:
Hi all,

The bugzilla has always had an invalid certificate, but in the past week or so
Google Chrome has begun treating it as a dangerous site. Meaning every time a
new page is loaded a full-page warning splash appears and users have to click
through it. This is getting really frustrating.

What would it take to fix this?

_______________________________________________
LLVM Developers mailing list
llvm-dev at lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev


_______________________________________________
LLVM Developers mailing list
llvm-dev at lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20170210/12ed571d/attachment.html>

Bugzilla will be fixed very soon.

-Tanya
> On Feb 10, 2017, at 4:27 PM, Chris Matthews <chris.matthews at
apple.com> wrote:
> 
> Letsencrypt only offers domain validation certs. I think an EV cert would
be more appropriate for llvm.org <http://llvm.org/>.
> 
> On February 10, 2017 at 2:45:22 PM, James Y Knight via llvm-dev (llvm-dev
at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>) wrote:
> 
>> +1. Chrome been warning about the certificate for a year or so now,
with steadily increasing severity. Would've been nice to fix it back then.
>> 
>> But, now, it's basically an emergency...the warning has made the
https parts of the site effectively inaccessible to normal users running Chrome.
>> 
>> A couple people have mentioned that llvm.org <http://llvm.org/>
was "not working" to me recently. And, I hadn't upgraded Chrome
yet, so I didn't understand what they were saying at the time. But, now I
have: the full page blocking warning basically makes the site appear
inaccessible, unless you're looking very closely.
>> 
>> Is there some difficulty with buying a new certificate?
>> 
>> Switching to letsencrypt would be best, and free, of course, but that
takes a little more infrastructure work to set up, and I'd understand if
maybe nobody's had the time to do that yet. Which is fine -- but in the
meantime, can someone just pay for a new certificate from any of the standard
CAs?
>> 
>> 
>> 
>> On Fri, Feb 10, 2017 at 4:28 PM, Eric Fiselier via llvm-dev
<llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>>
wrote:
>> Hi all,
>> 
>> The bugzilla has always had an invalid certificate, but in the past
week or so Google Chrome has begun treating it as a dangerous site. Meaning
every time a new page is loaded a full-page warning splash appears and users
have to click through it. This is getting really frustrating.
>> 
>> What would it take to fix this?
>> 
>> _______________________________________________
>> LLVM Developers mailing list
>> llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
<http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev>
>> 
>> 
>> _______________________________________________
>> LLVM Developers mailing list
>> llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
<http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20170210/eefe8af8/attachment.html>

> On Feb 10, 2017, at 18:27, Chris Matthews via llvm-dev <llvm-dev at
lists.llvm.org> wrote:
> 
> Letsencrypt only offers domain validation certs. I think an EV cert would
be more appropriate for llvm.org.
Interesting, why do you think EV certs are more appropriate? They don't
offer any security benefits beyond those offered by DV certs. Given that much of
llvm.org isn't even currently accessible over TLS, going straight to an EV
cert seems overkill.

One nice aspect of Let's Encrypt certs is renewals are automatable so no one
needs to keep track of when a new cert is necessary.

-- 
Stephen Checkoway

EV certs attempt validate the identity of the organization that holds them.
 That is a nice assurance to have from a place that makes the thing that
compiles your code.


On February 11, 2017 at 12:28:08 PM, Stephen Checkoway (s at pahtak.org) wrote:

> On Feb 10, 2017, at 18:27, Chris Matthews via llvm-dev <llvm-dev at
lists.llvm.org> wrote:
>  
> Letsencrypt only offers domain validation certs. I think an EV cert would
be more appropriate for llvm.org.
Interesting, why do you think EV certs are more appropriate? They don't
offer any security benefits beyond those offered by DV certs. Given that much of
llvm.org isn't even currently accessible over TLS, going straight to an EV
cert seems overkill.

One nice aspect of Let's Encrypt certs is renewals are automatable so no one
needs to keep track of when a new cert is necessary.

--  
Stephen Checkoway  



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20170213/942f57b6/attachment.html>