[TYPO3-typo3org] Signed SSL-certificate
Dmitry Dulepov
dmitry.dulepov+t3ml at gmail.com
Sun Feb 21 08:15:42 CET 2010
Hi Ingmar!
On 2010-02-18 18:21:35 +0200, Ingmar Schlecht said:
> You're sure you've read about CACert? They are in the process of getting
> included in the official Firefox.
What about MSIE, Opera, Safari?
I still do not see a reason for forcing people to import any unknown
certificate authority root to their browsers. If CA root comes with a
browser, it is surely verified by a browser vendor. If it is not
included, may be there is a reason.
How can I be sure that cacert.org is good and secure? I am against
importing everything that some site may request. It is a path to taking
more and more insecure decisions later such as "Oh, this Java applet is
signed by JohnDoe, let's allow it access to my local files! It signed,
so it is ok." Bad idea really...
Ingmar, it really looks that TYPO3 took this user–unfriendly step only
to save $200 on a proper certificate. Why else would TYPO3 use a free
unknown certificate that annoys users? As you see, this question pops
up from time to time and devs are not happy. Forge is for devs, so why
typo3.org team does not want devs to be happy in this case?
What was the reason to choose an untrusted certificate for typo3.org?
--
Dmitry Dulepov
TYPO3 expert / TYPO3 security team member
Read more @ http://dmitry-dulepov.com/
More information about the TYPO3-team-typo3org
mailing list