Howdy institution users and admins,
I cannot access tilde.institute because my browser says that either the certificate has expired or some is man-in-the-middle attack the website.
Just want to make sure that I am not the only one.
Sincerely,
Annada
--- Synchronet 3.19b-Linux NewsLink 1.113

Annada Behera <annada@tilde.green> writes:

I cannot access tilde.institute because my browser says that either the certificate has expired or some is man-in-the-middle attack the website.
Just want to make sure that I am not the only one.

I mentioned this in their IRC channel.
--
This stealth signature intentionally left blank.
--- Synchronet 3.19b-Linux NewsLink 1.113

On 2024-09-11 Wed 13:07 GMT, Annada Behera <annada@tilde.green> wrote:

Just want to make sure that I am not the only one.

You're not.
<https://michael.orlitzky.com/articles/lets_not_encrypt.xhtml>
seems relevant here.

Sincerely,
Annada

--
barnold
Money can't buy happiness, but it can make you awfully comfortable while
you're being miserable.
-- C. B. Luce
--- Synchronet 3.19b-Linux NewsLink 1.113

On 2024-09-11 Wed 13:07 GMT, Annada Behera <annada@tilde.green> wrote:

Just want to make sure that I am not the only one.

You're not.
<https://michael.orlitzky.com/articles/lets_not_encrypt.xhtml>
seems relevant here.

Didn't know that certificate signing authorities are scammy. That was a eye-opening article. Thank you for sharing. At this all the propaganda
around `switch to HTTPS' makes sense, just like they did to push systemd
back in 2014. Hope we can go back to HTTP, atleast in tildeverse.

Update 2023-11-05: Yeah, I've got an LE cert now. And I don't want to

talk about it.
LOL.
--- Synchronet 3.19b-Linux NewsLink 1.113

yeti <yeti@tilde.institute> writes:

Annada Behera <annada@tilde.green> writes:

I cannot access tilde.institute because my browser says that either the
certificate has expired or some is man-in-the-middle attack the website.
Just want to make sure that I am not the only one.

I mentioned this in their IRC channel.

One line from IRC/#institute ...

03:13:03 ~gbmor │ yeti: fixed the cert

... and indeed the httpd does its funny(?) S things again.
--
3. Hitchhiker 31: (18) At least, if it wasn't real, it did support them,
and as that is what sofas are supposed to do, this, by any test that
mattered, was a real sofa.
--- Synchronet 3.19b-Linux NewsLink 1.113

On 2024-09-12, Annada Behera <annada@tilde.green> wrote:

Hope we can go back to HTTP, atleast in tildeverse.

There are some advantages to HTTPS (even when using your own self-signed
cert), like the traffic being encrypted, which Michael has written
about[1].

[MO] Completely unsecured, plain HTTP. No browser warning at all!

If you use something like HTTPS everywhere you get warning too, but most
people aren't installing these types of extensions.

[MO] Self-signed certificate, provides encryption only. Big red warning!

I partially understand why this would be, as you wouldn't want someone to
be able to MITM someone else, and not have the end-user (someone else) be notified, but is acceptable for most use cases to not have a self-signed
cert, and more when the browser doesn't explain it clearly and the user
isn't trained with this kind of knowledge.

As the author states in that article[2], most sites don't **need**
certificates or encryption.

Yes, it's helpful for the encryption being available, as if it's
encrypted your ISP only knows that you're accessing that domain, and in
some cases (Encrypted Client Hello + DNS over HTTPS) they know even less.

But as currently adopted we're relying on CAs which may very well issue
false certs + Having government made non-constrained to their ccTLD CAs that are
required to be trusted[3], more or less doesn't affect the situation, yes it does technically a little bit, since it has technically allows the EU to
do MITM if they want, but doesn't much as they probably could just take
the keys from some CA that must obey subpoenas of the EU.

[MO] CA-signed certificate, provides encryption and “authentication.”
No warning.

Yeah, technically authenticated, any CA could have signed it so still
allows the possibility of MITM at least for now, and if Certificate Transparency is fully implemented, we'd be able to view and monitor after
the fact those certificates[4], which could make detecting it easier, if
it's a MITM on a local network level that doesn't expand too much, and
doesn't affect the BGP routes of a monitoring system, so the system that
is doing monitoring doesn't get MITMed.

[1] https://michael.orlitzky.com/articles/in_defense_of_self-signed_certificates.xhtml
[2] https://michael.orlitzky.com/articles/lets_not_encrypt.xhtml
[3] https://last-chance-for-eidas.org/
Oh, well, they didn't update the website with information about what
happened. And I can't be bothered to search it up.
[4] https://groups.google.com/g/certificate-transparency/c/Dopv9mwbh2g/m/sJjoOBVlBAAJ
--
~jmjl
--- Synchronet 3.19b-Linux NewsLink 1.113