[TYPO3-typo3org] Signed SSL-certificate

Dmitry Dulepov dmitry.dulepov+t3ml at gmail.com
Sun Feb 21 08:15:42 CET 2010

Hi Ingmar!

On 2010-02-18 18:21:35 +0200, Ingmar Schlecht said:
> You're sure you've read about CACert? They are in the process of getting
> included in the official Firefox.

What about MSIE, Opera, Safari?

I still do not see a reason for forcing people to import any unknown 
certificate authority root to their browsers. If CA root comes with a 
browser, it is surely verified by a browser vendor. If it is not 
included, may be there is a reason.

How can I be sure that cacert.org is good and secure? I am against 
importing everything that some site may request. It is a path to taking 
more and more insecure decisions later such as "Oh, this Java applet is 
signed by JohnDoe, let's allow it access to my local files! It signed, 
so it is ok." Bad idea really...

Ingmar, it really looks that TYPO3 took this user–unfriendly step only 
to save $200 on a proper certificate. Why else would TYPO3 use a free 
unknown certificate that annoys users? As you see, this question pops 
up from time to time and devs are not happy. Forge is for devs, so why 
typo3.org team does not want devs to be happy in this case?

What was the reason to choose an untrusted certificate for typo3.org?

Dmitry Dulepov
TYPO3 expert / TYPO3 security team member 
Read more @ http://dmitry-dulepov.com/

More information about the TYPO3-team-typo3org mailing list