X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient: geda-user AT delorie DOT com
X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.7+dev
X-Exmh-Isig-CompType: repl
X-Exmh-Isig-Folder: inbox
From: "karl AT aspodata DOT se [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
To: geda-user AT delorie DOT com
Subject: Re: [geda-user] No https for pcb-rnd
In-reply-to: <63b86b32-75be-dbff-7215-e3c35c484808@fastmail.com>
References: <bde96a88-b800-6222-6138-69de5d03f0c2 AT fastmail DOT com> <20210110065529 DOT A5C7E82966EF AT turkos DOT aspodata DOT se> <63b86b32-75be-dbff-7215-e3c35c484808 AT fastmail DOT com>
Comments: In-reply-to "Girvin Herr (gherrl AT fastmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
   message dated "Sun, 10 Jan 2021 14:38:48 -0800."
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <20210110235146.CC1CE832BB6C@turkos.aspodata.se>
Date: Mon, 11 Jan 2021 00:51:46 +0100 (CET)
X-Virus-Scanned: ClamAV using ClamSMTP
Reply-To: geda-user AT delorie DOT com
Errors-To: nobody AT delorie DOT com
X-Mailing-List: geda-user AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk

Gervin Herr:
> On 1/9/21 10:55 PM, karl AT aspodata DOT se [via geda-user AT delorie DOT com] wrote:
> > Girvin Herr:
> >> In the name of computer security, I am going through all of my browser
> >> bookmarks and rejecting all websites that do not support the https
> >> protocol.
> > ...
> >
> > So would a self signed certificate suffice -- since then you are using
> > "https".
> >
> > And next, what kind of security do you want ?
> > a, the middleman cannot see what you transfer
> > b, the middleman cannot change what you transfer
> > c, the middleman cannot cannot see that you have contact or are
> >     transferring (https doesn't solve that)
> > d, to be sure that the site is indeed authentic (use dns-sec for that)
> > e, something else I haven't thought about
> >
> > If you don't trust a self signed certificate, why would you trust
> > some random certificate authority and not some person writing
> > useful code that serves us well. See e.g.
> >   https://www.theregister.com/2013/12/10/french_gov_dodgy_ssl_cert_reprimand/
> >
> > You know, https isn't the final answer to computer security.
> >
> > And lastly, why don't you do a simple request on the pcb-rnd mailing
> > list, what has geda-user have to do with this.

> I don't know why you are so resistant to computer security.

No, you got me wrong and you didn't answer the questions above.
If you tells us what you want to gain, it will help us make it so.

///

Regarding https, you either make a self signed certificate or buy one.
By buying one you basically tells the users that they have to trust the
certificate authority you are using. I gave you a link showing that you
shouldn't blindly trust a certificate authority, here is some more:
 https://www.bedelsecurity.com/blog/untrustworthy-certificates
 http://www.nature.com/nature/journal/v491/n7424/pdf/491325a.pdf
 https://blog.hqcodeshop.fi/archives/330-Whats-wrong-with-HTTPS-Part-2-Untrustworthy-Certificate-Authorities.html
 https://www.csoonline.com/article/2231632/eff-warns-of-untrustworthy-ssl--undetectable-surveillance.html

If you value security you should seed out the cert.auth.
How many lines do you have in your /etc/ca-certificates.conf,
have you checked every one and removed the ones who gives out bogus
certificates ?

> Why did I post my concern about pcb-rnd on this forum? Good question.
...

Frankly, if you want https, you should have asked nicely the one 
maintaining the webserver instead of ranting about security.

Regards,
/Karl Hammar