Hi guys,
I know that there is this amazing initiative out there called "Lets Encrypt" to enable a lot of sites to become HTTPS.
Quoted from their own website:
"*To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol https://ietf-wg-acme.github.io/acme/, which typically runs on your web host.*"
If I got things right, they offer a free valid certificate. I know it must probably be expensive for us to enable thsi on our side (even though would give us even more credibility as an official website for the project).
So... I was just wondering if this is doable from our perspective? Do we have an option to enable this on our side? Is it simple (it never is), is it expensive?
Just wondering.
--Victor Westmann
Am Freitag, 5. Mai 2017, 21:33:24 CEST schrieb Victor Westmann:
Hi guys,
I know that there is this amazing initiative out there called "Lets Encrypt" to enable a lot of sites to become HTTPS.
Quoted from their own website:
"*To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol https://ietf-wg-acme.github.io/acme/, which typically runs on your web host.*"
If I got things right, they offer a free valid certificate. I know it must probably be expensive for us to enable thsi on our side (even though would give us even more credibility as an official website for the project).
So... I was just wondering if this is doable from our perspective? Do we have an option to enable this on our side? Is it simple (it never is), is it expensive?
It's not expensive and in general it's simple. I am using letsencrypt certs on several servers already. However, inkscape.org already has an SSL cert valid until October 2019, so for the time being there is no need to change anything.
Just wondering.
--Victor Westmann
Tobias
Hi Victor,
we do already use https for the inkscape.org website.
Try it: https://inkscape.org
Which other website would you like to see the Let's Encrypt certificate for?
(yes, it's easy and it's free)
Maren
Am 06.05.2017 um 06:33 schrieb Victor Westmann:
Hi guys,
I know that there is this amazing initiative out there called "Lets Encrypt" to enable a lot of sites to become HTTPS.
Quoted from their own website:
"/To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol https://ietf-wg-acme.github.io/acme/, which typically runs on your web host./"
If I got things right, they offer a free valid certificate. I know it must probably be expensive for us to enable thsi on our side (even though would give us even more credibility as an official website for the project).
So... I was just wondering if this is doable from our perspective? Do we have an option to enable this on our side? Is it simple (it never is), is it expensive?
Just wondering.
--Victor Westmann
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Thank you Maren and Tobias
For pointing this out. I was not so sure. Sometimes I am visiting the inkscape website and I noticed it points to the http version instead of the https one.
Great to hear this. I rest my case. :)
Victor Westmann On May 6, 2017 8:15 AM, "Maren Hachmann" <maren@...3165...> wrote:
Hi Victor,
we do already use https for the inkscape.org website.
Try it: https://inkscape.org
Which other website would you like to see the Let's Encrypt certificate for?
(yes, it's easy and it's free)
Maren
Am 06.05.2017 um 06:33 schrieb Victor Westmann:
Hi guys,
I know that there is this amazing initiative out there called "Lets Encrypt" to enable a lot of sites to become HTTPS.
Quoted from their own website:
"/To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol https://ietf-wg-acme.github.io/acme/, which typically runs on your web host./"
If I got things right, they offer a free valid certificate. I know it must probably be expensive for us to enable thsi on our side (even though would give us even more credibility as an official website for the project).
So... I was just wondering if this is doable from our perspective? Do we have an option to enable this on our side? Is it simple (it never is), is it expensive?
Just wondering.
--Victor Westmann
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Is it a option to automatically redirect to https?
On 5/6/2017 1:30 PM, Victor Westmann wrote:
Thank you Maren and Tobias
For pointing this out. I was not so sure. Sometimes I am visiting the inkscape website and I noticed it points to the http version instead of the https one.
Great to hear this. I rest my case. :)
Victor Westmann
On May 6, 2017 8:15 AM, "Maren Hachmann" <maren@...3165...mailto:maren@...360...3165...> wrote: Hi Victor,
we do already use https for the inkscape.orghttp://inkscape.org website.
Try it: https://inkscape.org
Which other website would you like to see the Let's Encrypt certificate for?
(yes, it's easy and it's free)
Maren
Am 06.05.2017 um 06:33 schrieb Victor Westmann:
Hi guys,
I know that there is this amazing initiative out there called "Lets Encrypt" to enable a lot of sites to become HTTPS.
Quoted from their own website:
"/To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol https://ietf-wg-acme.github.io/acme/, which typically runs on your web host./"
If I got things right, they offer a free valid certificate. I know it must probably be expensive for us to enable thsi on our side (even though would give us even more credibility as an official website for the project).
So... I was just wondering if this is doable from our perspective? Do we have an option to enable this on our side? Is it simple (it never is), is it expensive?
Just wondering.
--Victor Westmann
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.netmailto:Inkscape-devel@...941...rge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.netmailto:Inkscape-devel@...2164...e.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.netmailto:Inkscape-devel@...2164...e.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
On Sat, 2017-05-06 at 17:43 +0000, Miguel Lopez wrote:
Is it a option to automatically redirect to https?
It already does this, try and go to http://inkscape.org
On 5/6/2017 1:30 PM, Victor Westmann wrote:
Thank you Maren and Tobias For pointing this out. I was not so sure. Sometimes I am visiting the inkscape website and I noticed it points to the http version instead of the https one. Great to hear this. I rest my case. :)
Hi to all, I've just heard about this initiative. It seems something positive but after a first thought I couldn't help asking: why? What is the purpose to secure a public connection on which no sensitive data flow? I've had some sporadic errors with Firefox when connecting to HTTPS sites because of expired certificates and I was only trying to connect to them coming from Google so to see their contents for the first time, which doesn't involve sending sensitive data that deserve encryption; so in those cases the useless HTTPS layer only prevented me from accessing the service.
I'm probably missing some point that makes this really interesting. Is it just a trend?
Regards. Luca
-- View this message in context: http://inkscape.13.x6.nabble.com/Let-s-encrypt-is-this-possible-tp4979718p49... Sent from the Inkscape - Dev mailing list archive at Nabble.com.
Well here's one good reason:
https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hij...
tl;dr: If you use http, anyone can 'man in the middle' the connection and insert almost anything. And they do.
See also https://www.eff.org/encrypt-the-web
regards
Dan
On Mon, May 8, 2017 at 8:44 PM, LucaDC <dicappello@...2144...> wrote:
Hi to all, I've just heard about this initiative. It seems something positive but after a first thought I couldn't help asking: why? What is the purpose to secure a public connection on which no sensitive data flow? I've had some sporadic errors with Firefox when connecting to HTTPS sites because of expired certificates and I was only trying to connect to them coming from Google so to see their contents for the first time, which doesn't involve sending sensitive data that deserve encryption; so in those cases the useless HTTPS layer only prevented me from accessing the service.
I'm probably missing some point that makes this really interesting. Is it just a trend?
Regards. Luca
-- View this message in context: http://inkscape.13.x6.nabble. com/Let-s-encrypt-is-this-possible-tp4979718p4979744.html Sent from the Inkscape - Dev mailing list archive at Nabble.com.
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Am Montag, 8. Mai 2017, 01:44:11 CEST schrieb LucaDC:
[...]
asking: why? What is the purpose to secure a public connection on which no sensitive data flow?
Because it's no one's business if there is sensitive data flowing. Only encrypting the few cases where the data is sensitive will signal everyone listening that something is going on. Encrypting everything will make the sensitive events be drowned in a sea of noise.
[...]
I'm probably missing some point that makes this really interesting. Is it just a trend?
I hope not, it's the sane thing to do.
Regards. Luca
Tobias
Additional: To my understanding, there is sensitive data flowing. The Inkscape website allows people to log in, share their email addresses and social handles, upload Inkscape source code and binaries, as well as Inkscape extensions and other stuff.
I sure hope that the upload forms send their data encrypted, else (to my understanding) it wouldn't be hard to exchange the files during upload and we could possibly distribute binaries that have been tampered with.
Maren
Am 08.05.2017 um 12:56 schrieb Tobias Ellinghaus:
Am Montag, 8. Mai 2017, 01:44:11 CEST schrieb LucaDC:
[...]
asking: why? What is the purpose to secure a public connection on which no sensitive data flow?
Because it's no one's business if there is sensitive data flowing. Only encrypting the few cases where the data is sensitive will signal everyone listening that something is going on. Encrypting everything will make the sensitive events be drowned in a sea of noise.
[...]
I'm probably missing some point that makes this really interesting. Is it just a trend?
I hope not, it's the sane thing to do.
Regards. Luca
Tobias
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Thanks Daniel, Tobias and Maren for your replies.
I see there is reason behind, but I'm still not completely convinced. Data integrity should be guaranteed between end points through a verification mechanism, not relying on the transmission channel robustness (or absence of interference): encrypting/decrypting can be a way but a separate checksum could be just as good and it should always be the way for distributed binaries, because corruption could happen before encryption or while saving the file on the receiving computer's hard disk, after the browser has decrypted data. The point about drowning sensitive data into a sea of noise has the weakness of providing more material for decrypters so the chance to break in may even become higher.
Surely, if today's resources make HTTPS' overhead negligible, one could say: why not? Even if it proved useless, the wasted effort would be minimal. While legitimate, that's not exactly the way I think.
In any case, I see that this is quite a recent topic that's being discussed a lot all around. I'm not an expert so I think I'll sit down and see as it develops.
Luca
-- View this message in context: http://inkscape.13.x6.nabble.com/Let-s-encrypt-is-this-possible-tp4979718p49... Sent from the Inkscape - Dev mailing list archive at Nabble.com.
Am 09.05.2017 um 13:16 schrieb LucaDC: ...
encrypting/decrypting can be a way but a separate checksum could be just as good and it should always be the way for distributed binaries, because corruption could happen before encryption or while saving the file on the receiving computer's hard disk, after the browser has decrypted data.
- We do both. Uploads can be signed or 'checksummed' by the uploader.
Maren
On Tue, 2017-05-09 at 15:22 +0200, Maren Hachmann wrote:
Am 09.05.2017 um 13:16 schrieb LucaDC: ...
encrypting/decrypting can be a way but a separate checksum could be just as good and it should always be the way for distributed binaries, because corruption could happen before encryption or while saving the file on the receiving computer's hard disk, after the browser has decrypted data.
- We do both. Uploads can be signed or 'checksummed' by the uploader.
This checksum (md5) or preferably gnupg signature is checked by the server and the upload is marked as verified automatically. This ensures at least the upload is correct. For the download the user can download the same signature or md5 and check their copy too.
Martin,
Slightly off topic but TLS is a must, so many things can go wrong with unencrypted sites and the major web browser has in respective latest release started to mark all non-encrypted website with a login form as "Insecure".
SSLlabs is the go to place for all SSL/TLS tests ;)
https://www.ssllabs.com/ssltest/analyze.html?d=www.inkscape.org
...and for those who are really interested in the topic of SSL/TLS I recommend the book "Bulletproof SSL and TLS" as well as the newsletter at [1,2]
[1] https://www.feistyduck.com/books/bulletproof-ssl-and-tls/ [2] https://www.feistyduck.com/bulletproof-tls-newsletter/
participants (8)
-
Christoffer Holmstedt -
Daniel Mulholland -
LucaDC -
Maren Hachmann -
Martin Owens -
Miguel Lopez -
Tobias Ellinghaus -
Victor Westmann