[Babase] RE: link for website
Jeanne Altmann
altj at Princeton.EDU
Fri Feb 15 14:04:14 EST 2008
Thanks for the very helpful and thorough reply Karl. As I understand
it, there is nothing we want to or need to change except perhaps dealing
with
"(If there's nothing on the wiki about accepting the certificate upon
the first visit to the Babase web site, there should be.)"
Also, I wonder if we really want the link to the alternative home page
(the wiki home page) rather than to the one we are currently linking to.
Also, ok if we change 'alternate' to 'alternative'?
jeanne
-----Original Message-----
From: Karl O. Pinc [mailto:kop at meme.com]
Sent: Friday, February 15, 2008 1:25 PM
To: Susan Alberts
Cc: Jin H. Cordaro; Jeanne Altmann; babase at eeblistserv.princeton.edu
Subject: Re: link for website
> On Feb 15, 2008, at 11:34 AM, Jin H. Cordaro wrote:
>> The link for Babase is up and working (somewhat). I am getting an
>> error message as folows:
>>
>>
>>
>> There is a problem with this website's security certificate.
>>
>> The security certificate presented by this website was not issued by
>> a trusted certificate authority.
>>
>> Security certificate problems may indicate an attempt to fool you or
>> intercept any data you send to the server.
>>
>> We recommend that you close this webpage and do not continue to this
>> website.
On 02/15/2008 10:45:45 AM, Susan Alberts wrote:
> Thanks Jin, the link works great.
>
> Here is my understanding of the error message you are getting (this is
> based on incomplete knowledge so I am copying to Karl). Some computers
> (obviously including yours) are set to warn their users not to go to
> web pages that have not been "authenticated"
<snip>
Here's the explanation:
Much of the Babase database is secured by encrypting the Internet
traffic to the site. The encryption is done with security certificates.
The major browser manufacturers control what certificates are
automatically accepted and which are questioned.
If you want your certificate to be automatically accepted by most
browsers recurring payment is required. There's no reason we should pay
for a certificate, or even go to the trouble of getting a free one at
cacert.org (which isn't accepted by the major browsers anyway). It's
enough that we make our own certificate and tell our users to accept our
certificate.
The sole purpose of the certificate (they are not really needed for the
encryption itself) is to ensure that you're really talking to the
website you think you are. (This assumes that the people issuing the
certificate check the identity of each website which applies for a
certificate, a process in which I have little confidence.) Since nobody
is likely to be impersonating the Babase website, and it (mostly)
wouldn't matter if they did, there's not much of an issue for us.
Someone impersonating the Babase site _could_ steal Babase passwords.
(You'd, somehow, go to the fake site and then type your password while
trying to login. I think we're safe so long as Jin does not
accidentally link to a fake Babase site. ;) For this reason we announce
whenever we re-issue our own certificate so people know it's safe to
accept the new certificate.
(If there's nothing on the wiki about accepting the certificate upon the
first visit to the Babase web site, there should be.)
> Because Karl felt that putting the link there would get more people to
> the babase site and the source code he just put there, he may want to
> do something, but I don't feel strongly about it one way or another.
I have not been particularly persnickety about what portions of the
Babase site are protected with encrypted web traffic and what not.
A lot of the site is secured that does not need to be. It's not that
big a deal to fix but is just another administrative detail that's not
high up on the priority list. I'm not worried about fixing it anytime
soon; although there is additional CPU overhead incurred it's not
significant. In the long run we should pay closer attention.
Karl <kop at meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
More information about the Babase
mailing list