Page MenuHome GnuPG
Create Task
Maniphest T1857

broken SSL certificate in bug tracking system
Closed, InvalidPublic
Actions

Description

In the year 2015, this kind of laziness is no longer appropriate.

Event Timeline

cnd added a subscriber: cnd.Mar 1 2015, 4:00 AM

cnd added a project: Bug Report.Mar 1 2015, 4:00 AM
werner added a subscriber: werner.Mar 3 2015, 2:43 PM

That is actually on purpose. The X.509 system is broken beyond repair. It is
just not SECURE. The only thing you get is protection against passive
eavesdropping (if at all).

However, given all these complinats it might be easier to pay for a certificate.
I will consider this but first the tracker needs to be moved to another box.

werner closed this task as Invalid.Mar 3 2015, 2:43 PM
werner lowered the priority of this task from Unbreak Now! to Normal.
werner removed a project: Bug Report.
cnd added a comment.Mar 3 2015, 6:35 PM

In what other ways have you "on purpose" reduced the security of your users
for tin-foil-hat political reasons I wonder?

Buy the cert. It's, like, $3.50 (comodo), or if you really want to splurge,
$49 for unlimited number of domains and SANs and wildcards and whatever else
tickles your fancy (startssl)

cnd renamed this task from broken SSL certificate in bug tyracking system to broken SSL certificate in bug tracking system.Mar 3 2015, 6:35 PM
werner added a comment.Mar 4 2015, 12:44 PM

I have not reduced the "security" of anything for political reasons.
This discussion does not belong into a bug tracker - please use gnupg-users
instead. Thanks.

werner added a comment.Mar 4 2015, 12:48 PM

Just a last remark: You have an encrypted connection which protects you from
passive easvesdropping of the password. Securing agains active attacks is much
harder and thus useless. The only thing we need to protect is the password
which in turn is only used as an anti-spam measure. All information in the
tracker are public anyway.

cnd reopened this task as Open.Mar 4 2015, 12:58 PM
cnd raised the priority of this task from Normal to Unbreak Now!.
cnd added a project: Bug Report.

You stated that you deliberately used a self-signed SSL cert instead of
buying one, because, in your own words, "The X.509 system is broken beyond
repair."

That is a political reason, and is has reduced user security. Using non-
working SSL reduces security - you do know that, don't you?

The *reason* security gets "broken beyond repair", is because too many
people change mistakes into "notbug" and never fix stuff.

Bite your tongue, swallow your pride, spend the $3.50 and just buy a
certificate mate.

This conversation is going to get read by other people in future, you decide
next what you want them to think about you.

werner added a comment.Mar 4 2015, 6:46 PM

Pretty please take this discussion to the public, i.e. gnupg-users. And please
stop re-changing priority values.

werner closed this task as Invalid.Mar 4 2015, 6:46 PM
werner lowered the priority of this task from Unbreak Now! to Normal.
werner removed a project: Bug Report.