Offering a website connection over an encrypted HTTPS path isn't just about protecting credit card numbers or passwords anymore. Encryption protects a visitor from unwanted snooping and tampering by anyone along the worldwide network between that user's computer and the website's host. To illustrate, my ISP began injecting popup notices on my screen without my consent during casual web browsing (only on HTTP sites) when I was approaching their monthly usage limit. I'm sure they are scraping and selling every bit of information about me that they can whenever I visit and interact with an unencrypted site. No doubt the dozens of others(ISPs, employers, governments) who handle my information are doing the same. I don't think there is a great argument to be made for /not/ offering this protection to our visitors if we can--which we do.
To the issue at hand, our TLS certificate for chat.inkscape.org is issued by Let's Encrypt. The certificate is offered free-of-charge, but it expires more frequently than alternatives. Fortunately it's pretty easy to set such certificates up to renew automatically. When they are about to expire the Let's Encrypt organization will automatically email a notice to the admin so they can renew manually if necessary. In this case the automatic renewal must have failed (or wasn't setup yet) and the email notification went unnoticed. It was a perfect storm. I don't expect this is something that will happen frequently. If it hadn't happened the day prior to a planned meeting, it wouldn't have been noteworthy. Browsers make a big deal about certificates being invalid in one way or another. Many people don't know how to even circumvent these notices, because in most cases they probably shouldn't. The Rocket.Chat app simply became inoperable when the certificate expired.
Recena, Bryce, and others have been doing fantastic work on our new infrastructure. The chat service has been up for months, and renewed many times, without issue. I don't think we need to worry too much about it. On the bright side, it gave me a chance to complain about Comcast in this email. I think that alone offset the inconvenience of moving a meeting. Though, now that I think about it, this email is also traveling unencrypted. Who knows what may happen before it reaches you. ;)
Ryan
On 5/9/19 6:33 PM, brynn wrote:
I'm just saying it's a relatively new thing to think of SSL as something that users expect of any website. A few years ago, most people never saw an untrusted certificate warning. Now they see them (and they're worded way too strongly, in my opinion) and it's like the end of the world, when just a few years ago, we never had this kind of security. We depended on our local security, rather than the website we visit.
When all websites across the internet provide SSL security, then I think we better make sure we do too. Until then, we do our best. But I don't think we need to panic, or take any kind of excessive measures. I mean, that was your original question, wasn't it, whether we need to do more? Or whether we need to worry?
I don't think we need to do either. The certificate had a problem, not the website. (Thus my concern about how the warning is worded. It leads you to think the website has a problem, when it didn't.)
At least with my own website, I haven't seen any way to be notified in advance when a problem is about to happen with a certificate. I suppose our sysadmin could look into that? But as far as I know, the sysadmin learns about it when everyone else does. Other than be notified before the certificate has a problem I don't know any non-excessive way to protect against this problem.
All best, brynn
-----Original Message----- From: C R Sent: Thursday, May 09, 2019 2:17 PM To: brynn Cc: Inkscape User Community ; Ryan Gorley ; inkscape-devel Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement
If there's no login, there's no problem. Anywhere I'm entering in username and passwords, and storing stuff on a server, you better believe it should have encryption. But whether or not you think we need it, we are an official project who cares about the security of our users. We depend on mutual trust, and it looks very bad when browsers reject our invalid credentials (and rightly so).
Obviously, we want our users to trust us, and having official websites and chat services fail basic security checks destroys that confidence and trust.
So yea, big deal from my perspective. :)
-C
On Thu, May 9, 2019 at 4:43 PM brynn <brynn@...3089...> wrote: What about websites which have no certificate at all? You just don't use them? Those websites will never have warnings about the certificate, because they don't have one. It doesn't necessarily mean that they aren't safe sites. InkscapeForum.com is one of those, fyi.
Of course we can agree to disagree :-)
All best brynn
-----Original Message----- From: C R Sent: Thursday, May 09, 2019 7:42 AM To: Brynn Cc: Inkscape User Community ; Ryan Gorley ; inkscape-devel Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement
No, I didn't. But I think it's important for visitors to our site to be able to trust the chat (especially one you have to sign up for and log into). I disagree that it's not a big deal.
-C
On Thu, 9 May 2019, 13:25 brynn, <brynn@...3089...> wrote: Wow! I wonder if that could be some security setting in Chrome? I'd have to look it up to be sure, but I think it's an option in Firefox, to not load a page with an untrusted certificate. There are just so many untrusted certificates, on entirely trustworthy sites, I disabled it. I still get the warning, but the page isn't completely blocked.
Did you set a temporary exception? At least in Firefox, I got the option to set either a temporary or permanent exception, and that fixed the chat.
Or otherwise, perhaps Chrome should be notified. To my limited understanding, that doesn't seem reasonable to block the page and not give a choice.
brynn
-----Original Message----- From: C R Sent: Wednesday, May 08, 2019 1:57 PM To: Inkscape User Community Cc: Brynn ; Ryan Gorley ; inkscape-devel Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement
It actually broke the chat entirely in Chrome, even clicking past the warning, it still would not connect. Fyi
-C
On Tue, 7 May 2019, 23:32 Ryan Gorley via Inkscape-user, inkscape-user@lists.sourceforge.net wrote:
Understood. Had to make a call with imperfect information. Sorry for the inconvenience. I hope we can pick up the forum stuff at the meeting in a couple days.
Ryan
On 5/7/19 4:29 PM, brynn wrote: I'll have to be honest. This is just my opinion.
I don't consider an expired certificate, or whatever problem it was with the certificate, to be any kind of serious problem. I trust that the website is safe, and no serious threat will show up via untrusted certificate warning.
In my opinion, the untrusted certificate warnings are built on maximum paranoia. They truly do sound dire. But unless you are making some monetary transaction, or sharing files or info that should remain secure, they really can be ignored. Again, my opinion.
All best, brynn
-----Original Message----- From: C R Sent: Monday, May 06, 2019 8:32 AM To: Manuel Jesús Recena Soto Cc: inkscape-devel ; Inkscape User Community Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement
We are heavily using this chat across all parts of the project at the moment. Do we need to worry about stability? Thanks for any advice.
-C
On Sun, 5 May 2019, 20:04 Manuel Jesús Recena Soto, mailto:recena@...155... wrote:
Hello Ryan,
If you believe this chat service is critical, I suggest you to schedule a meeting with infrastructure team in order to find a better solution.
Regards,
On Sat, May 4, 2019 at 2:02 AM Ryan Gorley via Inkscape-devel mailto:inkscape-devel@lists.sourceforge.net wrote:
Hello All, Due to the certificate error on chat.inkscape.org, some individuals may be scared away from participating in our meeting tomorrow. I'm going to keep an eye on it, but if the error isn't resolved in the next couple hours I'm going to suggest we postpone our meeting one week. I'll update everyone on the status a little later.
- Ryan
Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Inkscape-user mailing list Inkscape-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-user