Offering a website
connection over an encrypted HTTPS path isn't just about
protecting credit card numbers or passwords anymore. Encryption
protects a visitor from unwanted snooping and tampering by
anyone along the worldwide network between that user's computer
and the website's host. To illustrate, my ISP began injecting
popup notices on my screen without my consent during casual web
browsing (only on HTTP sites) when I was approaching their
monthly usage limit. I'm sure they are scraping and selling
every bit of information about me that they can whenever I visit
and interact with an unencrypted site. No doubt the dozens of
others (ISPs, employers,
governments) who handle my information are doing the
same. I don't think there is a great argument to be made for not
offering this protection to our visitors if we can--which we do.
To the issue at hand,
our TLS certificate for chat.inkscape.org is issued by Let's
Encrypt. The certificate is offered free-of-charge, but it
expires more frequently than alternatives. Fortunately it's
pretty easy to set such certificates up to renew automatically.
When they are about to expire the Let's Encrypt organization
will automatically email a notice to the admin so they can renew
manually if necessary. In this case the automatic renewal must
have failed (or wasn't setup yet) and the email notification
went unnoticed. It was a perfect storm. I don't expect this is
something that will happen frequently. If it hadn't happened the
day prior to a planned meeting, it wouldn't have been
noteworthy. Browsers make a big deal about certificates being
invalid in one way or another. Many people don't know how to
even circumvent these notices, because in most cases they
probably shouldn't. The Rocket.Chat app simply became inoperable
when the certificate expired.
Recena, Bryce, and others have been doing fantastic work on our
new infrastructure. The chat service has been up for months, and
renewed many times, without issue. I don't think we need to worry
too much about it. On the bright side, it gave me a chance to
complain about Comcast in this email. I think that alone offset
the inconvenience of moving a meeting. Though, now that I think
about it, this email is also traveling unencrypted. Who knows what
may happen before it reaches you. ;)
I'm just saying it's a relatively new thing to think of SSL as something that users expect of any website. A few years ago, most people never saw an untrusted certificate warning. Now they see them (and they're worded way too strongly, in my opinion) and it's like the end of the world, when just a few years ago, we never had this kind of security. We depended on our local security, rather than the website we visit.
When all websites across the internet provide SSL security, then I think we better make sure we do too. Until then, we do our best. But I don't think we need to panic, or take any kind of excessive measures. I mean, that was your original question, wasn't it, whether we need to do more? Or whether we need to worry?
I don't think we need to do either. The certificate had a problem, not the website. (Thus my concern about how the warning is worded. It leads you to think the website has a problem, when it didn't.)
At least with my own website, I haven't seen any way to be notified in advance when a problem is about to happen with a certificate. I suppose our sysadmin could look into that? But as far as I know, the sysadmin learns about it when everyone else does. Other than be notified before the certificate has a problem I don't know any non-excessive way to protect against this problem.
All best,
brynn
-----Original Message----- From: C R
Sent: Thursday, May 09, 2019 2:17 PM
To: brynn
Cc: Inkscape User Community ; Ryan Gorley ; inkscape-devel
Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement
If there's no login, there's no problem.
Anywhere I'm entering in username and passwords, and storing stuff on a server, you better believe it should have encryption.
But whether or not you think we need it, we are an official project who cares about the security of our users. We depend on mutual trust, and it looks very bad when browsers reject our invalid credentials (and rightly so).
Obviously, we want our users to trust us, and having official websites and chat services fail basic security checks destroys that confidence and trust.
So yea, big deal from my perspective. :)
-C
On Thu, May 9, 2019 at 4:43 PM brynn <brynn@...3133...> wrote:
What about websites which have no certificate at all? You just don't use them?
Those websites will never have warnings about the certificate, because they
don't have one. It doesn't necessarily mean that they aren't safe sites.
InkscapeForum.com is one of those, fyi.
Of course we can agree to disagree :-)
All best
brynn
-----Original Message----- From: C R
Sent: Thursday, May 09, 2019 7:42 AM
To: Brynn
Cc: Inkscape User Community ; Ryan Gorley ; inkscape-devel
Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow -
Possible Postponement
No, I didn't. But I think it's important for visitors to our site to be able to
trust the chat (especially one you have to sign up for and log into). I disagree
that it's not a big deal.
-C
On Thu, 9 May 2019, 13:25 brynn, <brynn@...3133...> wrote:
Wow! I wonder if that could be some security setting in Chrome? I'd have to
look it up to be sure, but I think it's an option in Firefox, to not load a page
with an untrusted certificate. There are just so many untrusted certificates,
on entirely trustworthy sites, I disabled it. I still get the warning, but the
page isn't completely blocked.
Did you set a temporary exception? At least in Firefox, I got the option to set
either a temporary or permanent exception, and that fixed the chat.
Or otherwise, perhaps Chrome should be notified. To my limited understanding,
that doesn't seem reasonable to block the page and not give a choice.
brynn
-----Original Message----- From: C R
Sent: Wednesday, May 08, 2019 1:57 PM
To: Inkscape User Community
Cc: Brynn ; Ryan Gorley ; inkscape-devel
Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow -
Possible Postponement
It actually broke the chat entirely in Chrome, even clicking past the warning,
it still would not connect. Fyi
-C
On Tue, 7 May 2019, 23:32 Ryan Gorley via Inkscape-user,
<inkscape-user@lists.sourceforge.net> wrote:
Understood. Had to make a call with imperfect information. Sorry for the
inconvenience. I hope we can pick up the forum stuff at the meeting in a couple
days.
Ryan
On 5/7/19 4:29 PM, brynn wrote:
I'll have to be honest. This is just my opinion.
I don't consider an expired certificate, or whatever problem it was with the
certificate, to be any kind of serious problem. I trust that the website is
safe, and no serious threat will show up via untrusted certificate warning.
In my opinion, the untrusted certificate warnings are built on maximum paranoia.
They truly do sound dire. But unless you are making some monetary transaction,
or sharing files or info that should remain secure, they really can be ignored.
Again, my opinion.
All best,
brynn
-----Original Message----- From: C R
Sent: Monday, May 06, 2019 8:32 AM
To: Manuel Jesús Recena Soto
Cc: inkscape-devel ; Inkscape User Community
Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow -
Possible Postponement
We are heavily using this chat across all parts of the project at the moment. Do
we need to worry about stability? Thanks for any advice.
-C
On Sun, 5 May 2019, 20:04 Manuel Jesús Recena Soto, mailto:recena@...400...
wrote:
Hello Ryan,
If you believe this chat service is critical, I suggest you to schedule a
meeting with infrastructure team in order to find a better solution.
Regards,
On Sat, May 4, 2019 at 2:02 AM Ryan Gorley via Inkscape-devel
mailto:inkscape-devel@lists.sourceforge.net wrote:
Hello All,
Due to the certificate error on chat.inkscape.org, some individuals may be
scared away from participating in our meeting tomorrow. I'm going to keep an eye
on it, but if the error isn't resolved in the next couple hours I'm going to
suggest we postpone our meeting one week. I'll update everyone on the status a
little later.
- Ryan
_______________________________________________
Inkscape-devel mailing list
Inkscape-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
_______________________________________________
Inkscape-user mailing list
Inkscape-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/inkscape-user