[Babase] Certificate for papio
Karl O. Pinc
kop at meme.com
Sun Oct 19 23:32:32 EDT 2008
On 10/19/2008 02:33:01 PM, Susan Alberts wrote:
> We have been giving out the web address papio.biology.duke.edu to
> colleagues and citing it in grants. Several people have contacted me
> about the fact that when they enter this address they get a "no valid
> certificate, your information might be at risk" message. Can we fix
> this?
It's a racket, in that the browser makers (Microsoft, mostly) pop up
that message unless you deal with the companies they choose to support.
Verisign is one of the 2 major certificate companies, they charge
$399/year to keep the message from coming up. (I thought they
were cheaper, but I've not looked in a while and the industry
has consolidated.) (The alternative to centralized authorities,
and their inevitable monetary fees, is the web of trust,
http://en.wikipedia.org/wiki/Web_of_trust, which does not
seem to be getting much traction. Probably because there's
not money to be made. It's not really Microsoft's fault, in that
any centralized approach is requires validation and has
consequent costs that must be covered. However, MS has
done nothing to encourage use of the web of trust. Were
MS to participate in the web of trust it would instantly be
accepted and we wouldn't see these fees.)
We use a self-signed certificate, which is quite common for
those who just want security. We could get a non-profit like
cacert.org to sign our certificate, but I don't think it'd help
because AFAIK cacert is not trusted by Microsoft.
So, there are 3 choices.
1) We could pay somebody.
2) We could tell people to permanently accept our certificate
so they no longer get the message. (Write some standard
blurb to send them when you refer them to the site.)
One potential problem is that our certificate
expires every year, so every year you need to re-accept
the certificate. I could make the certificates last
longer, or perhaps solve the expiration issue in other
ways, but I like re-issuing the security certificate
for reasons of security and because otherwise I'll
forget how to make them and it'll be a big hassle.
See the list archives for messages from me regarding
the annual re-generation of our certificate and
how to tell the browser not to complain, etc.
3) The technical solution is for me to spend a few
hours on the website and remove all security from
the publicly accessible parts. It was easiest,
and brain-dead easy from the security concern side,
to just secure everything. The down side is
that the url changes, from https://papio.biology.duke.edu/
to http://papio.biology.duke.edu. (Note lack of 's'
on http.) This may or may not be an issue. I
can get clever and automatically redirect
requests to secure or unsecured page versions
as appropriate, but it's more fussing
and another little bit of added complication.
Let me know where you want to go with this.
There's always option 0, do nothing. :-)
Karl <kop at meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
More information about the Babase
mailing list