1. Forum
  2. TildeVerse
  3. tilde.institute

  • Cannot access ~institute website -- certificate has expired?

    From Annada Behera@annada@tilde.green to tilde.institute on Wed Sep 11 18:37:29 2024
    Howdy institution users and admins,
    I cannot access tilde.institute because my browser says that either the certificate has expired or some is man-in-the-middle attack the website.
    Just want to make sure that I am not the only one.
    Sincerely,
    Annada
    --- Synchronet 3.19b-Linux NewsLink 1.113
  • From yeti@yeti@tilde.institute to tilde.institute on Wed Sep 11 14:17:56 2024
    Annada Behera <annada@tilde.green> writes:

    I cannot access tilde.institute because my browser says that either the certificate has expired or some is man-in-the-middle attack the website.
    Just want to make sure that I am not the only one.

    I mentioned this in their IRC channel.
    --
    This stealth signature intentionally left blank.
    --- Synchronet 3.19b-Linux NewsLink 1.113
  • From barnold@barnold@tilde.club to tilde.institute on Thu Sep 12 01:53:50 2024
    On 2024-09-11 Wed 13:07 GMT, Annada Behera <annada@tilde.green> wrote:
    Just want to make sure that I am not the only one.

    You're not.
    <https://michael.orlitzky.com/articles/lets_not_encrypt.xhtml>
    seems relevant here.

    Sincerely,
    Annada
    --
    barnold
    Money can't buy happiness, but it can make you awfully comfortable while
    you're being miserable.
    -- C. B. Luce
    --- Synchronet 3.19b-Linux NewsLink 1.113
  • From Annada Behera@annada@tilde.green to tilde.institute on Thu Sep 12 11:34:21 2024
    On 2024-09-11 Wed 13:07 GMT, Annada Behera <annada@tilde.green> wrote:
    Just want to make sure that I am not the only one.

    You're not.
    <https://michael.orlitzky.com/articles/lets_not_encrypt.xhtml>
    seems relevant here.
    Didn't know that certificate signing authorities are scammy. That was a eye-opening article. Thank you for sharing. At this all the propaganda
    around `switch to HTTPS' makes sense, just like they did to push systemd
    back in 2014. Hope we can go back to HTTP, atleast in tildeverse.
    Update 2023-11-05: Yeah, I've got an LE cert now. And I don't want to
    talk about it.
    LOL.
    --- Synchronet 3.19b-Linux NewsLink 1.113
  • From yeti@yeti@tilde.institute to tilde.institute on Fri Sep 13 05:12:47 2024
    yeti <yeti@tilde.institute> writes:

    Annada Behera <annada@tilde.green> writes:

    I cannot access tilde.institute because my browser says that either the
    certificate has expired or some is man-in-the-middle attack the website.
    Just want to make sure that I am not the only one.

    I mentioned this in their IRC channel.

    One line from IRC/#institute ...

    03:13:03 ~gbmor │ yeti: fixed the cert

    ... and indeed the httpd does its funny(?) S things again.
    --
    3. Hitchhiker 31: (18) At least, if it wasn't real, it did support them,
    and as that is what sofas are supposed to do, this, by any test that
    mattered, was a real sofa.
    --- Synchronet 3.19b-Linux NewsLink 1.113
  • From jmjl@jmjl@tilde.green to tilde.institute on Tue Oct 29 19:57:37 2024
    On 2024-09-12, Annada Behera <annada@tilde.green> wrote:
    Hope we can go back to HTTP, atleast in tildeverse.

    There are some advantages to HTTPS (even when using your own self-signed
    cert), like the traffic being encrypted, which Michael has written
    about[1].

    [MO] Completely unsecured, plain HTTP. No browser warning at all!

    If you use something like HTTPS everywhere you get warning too, but most
    people aren't installing these types of extensions.

    [MO] Self-signed certificate, provides encryption only. Big red warning!

    I partially understand why this would be, as you wouldn't want someone to
    be able to MITM someone else, and not have the end-user (someone else) be notified, but is acceptable for most use cases to not have a self-signed
    cert, and more when the browser doesn't explain it clearly and the user
    isn't trained with this kind of knowledge.

    As the author states in that article[2], most sites don't **need**
    certificates or encryption.

    Yes, it's helpful for the encryption being available, as if it's
    encrypted your ISP only knows that you're accessing that domain, and in
    some cases (Encrypted Client Hello + DNS over HTTPS) they know even less.

    But as currently adopted we're relying on CAs which may very well issue
    false certs + Having government made non-constrained to their ccTLD CAs that are
    required to be trusted[3], more or less doesn't affect the situation, yes it does technically a little bit, since it has technically allows the EU to
    do MITM if they want, but doesn't much as they probably could just take
    the keys from some CA that must obey subpoenas of the EU.

    [MO] CA-signed certificate, provides encryption and “authentication.”
    No warning.

    Yeah, technically authenticated, any CA could have signed it so still
    allows the possibility of MITM at least for now, and if Certificate Transparency is fully implemented, we'd be able to view and monitor after
    the fact those certificates[4], which could make detecting it easier, if
    it's a MITM on a local network level that doesn't expand too much, and
    doesn't affect the BGP routes of a monitoring system, so the system that
    is doing monitoring doesn't get MITMed.

    [1] https://michael.orlitzky.com/articles/in_defense_of_self-signed_certificates.xhtml
    [2] https://michael.orlitzky.com/articles/lets_not_encrypt.xhtml
    [3] https://last-chance-for-eidas.org/
    Oh, well, they didn't update the website with information about what
    happened. And I can't be bothered to search it up.
    [4] https://groups.google.com/g/certificate-transparency/c/Dopv9mwbh2g/m/sJjoOBVlBAAJ
    --
    ~jmjl
    --- Synchronet 3.19b-Linux NewsLink 1.113