[Babase] Re: link for website

Karl O. Pinc kop at meme.com
Fri Feb 15 13:24:47 EST 2008


> On Feb 15, 2008, at 11:34 AM, Jin H. Cordaro wrote:
>> The link for Babase is up and working (somewhat).  I am getting an
>> error
>> message as folows:
>> 	 
>> 
>> 
>> There is a problem with this website's security certificate.
>> 	 
>> The security certificate presented by this website was not issued by
>> a
>> trusted certificate authority.
>> 
>> Security certificate problems may indicate an attempt to fool you or
>> intercept any data you send to the server.
>>  	 
>> We recommend that you close this webpage and do not continue to this
>> website.

On 02/15/2008 10:45:45 AM, Susan Alberts wrote:
> Thanks Jin, the link works great.
> 
> Here is my understanding of the error message you are getting (this  
> is based on incomplete knowledge so I am copying to Karl). Some  
> computers (obviously including yours) are set to warn their users not  
> to go to web pages that have not been "authenticated"
<snip>

Here's the explanation:

Much of the Babase database is secured by encrypting the Internet
traffic to the site.  The encryption is done with security
certificates.  The major browser manufacturers control
what certificates are automatically accepted and which are questioned.
If you want your certificate to be automatically accepted by most
browsers recurring payment is required.  There's no reason we should
pay for a certificate, or even go to the trouble of getting a free
one at cacert.org (which isn't accepted by the major browsers
anyway).  It's enough that we make our own certificate and tell our
users to accept our certificate.

The sole purpose of the certificate (they are not really needed
for the encryption itself) is to ensure that you're really
talking to the website you think you are.  (This assumes that
the people issuing the certificate check the identity of
each website which applies for a certificate, a process in which
I have little confidence.)  Since nobody is likely to be impersonating
the Babase website, and it (mostly) wouldn't matter if they
did, there's not much of an issue for us.

Someone impersonating the Babase site _could_ steal Babase passwords.
(You'd, somehow, go to the fake site and then type your password
while trying to login.  I think we're safe so long as Jin does not
accidentally link to a fake Babase site.  ;)
For this reason we announce whenever we re-issue our own
certificate so people know it's safe to accept the new certificate.

(If there's nothing on the wiki about accepting the certificate
upon the first visit to the Babase web site, there should be.)

> Because Karl felt that putting the link there would get more people  
> to the babase site and the source code he just put there, he may want  
> to do something, but I don't feel strongly about it one way or  
> another.

I have not been particularly persnickety about what portions of the
Babase site are protected with encrypted web traffic and what not.
A lot of the site is secured that does not need to be.  It's not that
big a deal to fix but is just another administrative detail that's
not high up on the priority list.  I'm not worried about fixing it
anytime soon; although there is additional CPU overhead incurred it's
not significant.  In the long run we should pay closer attention.


Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein



More information about the Babase mailing list