central icon indicating copy to clipboard operation
central copied to clipboard

Published 20 hours ago verified publisher icon moztw

HTTPS Support for moztw.org and gfx.tw

Open petercpg opened this issue 11 years ago • 9 comments

Currently we have these options:

  • Simply make a self-signed cert.
    • At least there would be some minimum but not 'trustworthy' security.
  • Ask Mozilla to sign one Bug 778395
    • Not recommended as Mozilla only sign Geotrust certs that owned by them.
    • Of course, I don't think we should transfer the domains to Mozilla in any way.
  • Donate one by someone of buy one by MozTW
    • Not sure if this is a option since the owner moztw.org is piaip; gfx.tw is timdream for now, the verification and trust policy will be pointed to them even the contact could be [email protected] or any other people.

Also we'll have to build up a stricter policy (i.e., restrict sudo usage; server hosting provider's policy) for those accounts can login to our server to ensure the safety of private keys before deployment.

Suggestions? Opinions?

petercpg avatar Mar 03 '13 16:03 petercpg

How about start ssl They have free basic CA for single domain

Peter Chen 於 2013年3月4日星期一寫道:

Currently we have these options:

  1. Simply make a self-signed cert. 2.

    At least there would be some minimum but not 'trustworthy' security. 3.

    Ask Mozilla to sign one Bug 778395https://bugzilla.mozilla.org/show_bug.cgi?id=778395 4.

    Not recommended as Mozilla only sign Geotrust certs that owned by them. 5.

    Of course, I don't think we should transfer the domains to Mozilla in any way. 6.

    Donate one by someone of buy one by MozTW 7.

    Not sure if this is a option since the owner moztw.org is piaip; gfx.twis timdream for now, the verification and trust policy will be pointed to them even the contact could be [email protected] <javascript:_e({}, 'cvml', '[email protected]');> or any other people.

Also we'll have to build up a stricter (i.e., restrict sudo usage; server hosting provider's policy) to ensure the safety of private keys before deployment of keys.

Suggestions? Opinions?

— Reply to this email directly or view it on GitHubhttps://github.com/moztw/central/issues/36 .

OOO

othree avatar Mar 03 '13 16:03 othree

雖然這也是找人簽的憑證,但是 StartSSL 有時候會踩到第一點的地雷,某些 clients/browsers 不相信它 XD

不過 StartSSL 好像大部分的桌面瀏覽器都接受齁?

petercpg avatar Mar 03 '13 16:03 petercpg

Yes supports by most browsers. I am using it on my blog if you want to try who trust it. You can access my blog by clients to see the result.

Peter Chen 於 2013年3月4日星期一寫道:

雖然這也是找人簽的憑證,但是 StartSSL 有時候會踩到第一點的地雷,某些 clients/browsers 不相信它 XD

不過 StartSSL 好像大部分的桌面瀏覽器都接受齁?

— Reply to this email directly or view it on GitHubhttps://github.com/moztw/central/issues/36#issuecomment-14350074 .

OOO

othree avatar Mar 03 '13 17:03 othree

看起來現在可以了,以前我在別的網站用過常出問題...

看來如果我們要做也就不必自己簽囉?

petercpg avatar Mar 03 '13 17:03 petercpg

詳見此文: http://blog.miniasp.com/post/2013/01/10/The-Complete-Guide-Free-StartSSL-personal-and-web-site-ssl-tls-certificates.aspx

這只是 Class 1 的根憑證。

bcbcarl avatar Mar 03 '13 17:03 bcbcarl

從頭到尾我都只考慮 Level 1 certificate 呀。

一來是我們的用途 Level 1 不影響,startssl level 1 CA 會不被信任只是因為每個人都能申請而已 (這多半也是我以前用 startssl 會不被信任的關係吧) 。

再來 Level 2 以上的說不定我們還不能買咧,we are not an entity legally。

On Mon, Mar 4, 2013 at 1:49 AM, Carl X. Su [email protected] wrote:

詳見此文: http://blog.miniasp.com/post/2013/01/10/The-Complete-Guide-Free-StartSSL-personal-and-web-site-ssl-tls-certificates.aspx

這只是 Class 1 的根憑證。

Reply to this email directly or view it on GitHub: https://github.com/moztw/central/issues/36#issuecomment-14351080

petercpg avatar Mar 03 '13 18:03 petercpg

我先 ping 了 bugzilla 上那個 bug 一下,有 Mozilla 幫忙簽是最好(我覺得既然 ReMo 都討論出來要做了,那至少不做也要再回頭叫 ReMo 停手)

bobchao avatar Mar 31 '13 01:03 bobchao

我以為他的語氣是沒有肯定要做也沒有說不做,所以先緩著?

petercpg avatar Mar 31 '13 04:03 petercpg

https for moztw.org is live on prod, let's wait and test a while then deploy to other services.

petercpg avatar Apr 20 '15 11:04 petercpg