Understood. Had to make a call with imperfect information. Sorry for the inconvenience. I hope we can pick up the forum stuff at the meeting in a couple days.

Ryan

On 5/7/19 4:29 PM, brynn wrote:

I'll have to be honest.  This is just my opinion.

I don't consider an expired certificate, or whatever problem it was with the certificate, to be any kind of serious problem.  I trust that the website is safe, and no serious threat will show up via untrusted certificate warning.

In my opinion, the untrusted certificate warnings are built on maximum paranoia. They truly do sound dire.  But unless  you are making some monetary transaction, or sharing files or info that should remain secure, they really can be ignored. Again, my opinion.

All best, brynn

-----Original Message----- From: C R Sent: Monday, May 06, 2019 8:32 AM To: Manuel Jesús Recena Soto Cc: inkscape-devel ; Inkscape User Community Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

We are heavily using this chat across all parts of the project at the moment. Do we need to worry about stability? Thanks for any advice.

-C

On Sun, 5 May 2019, 20:04 Manuel Jesús Recena Soto, <recena@...155...> wrote:

Hello Ryan,

If you believe this chat service is critical, I suggest you to schedule a meeting with infrastructure team in order to find a better solution.

Regards,

On Sat, May 4, 2019 at 2:02 AM Ryan Gorley via Inkscape-devel inkscape-devel@lists.sourceforge.net wrote:

Hello All, Due to the certificate error on chat.inkscape.org, some individuals may be scared away from participating in our meeting tomorrow. I'm going to keep an eye on it, but if the error isn't resolved in the next couple hours I'm going to suggest we postpone our meeting one week. I'll update everyone on the status a little later.

• Ryan

---

Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel

Wow! I wonder if that could be some security setting in Chrome? I'd have to look it up to be sure, but I think it's an option in Firefox, to not load a page with an untrusted certificate. There are just so many untrusted certificates, on entirely trustworthy sites, I disabled it. I still get the warning, but the page isn't completely blocked.

Did you set a temporary exception? At least in Firefox, I got the option to set either a temporary or permanent exception, and that fixed the chat.

Or otherwise, perhaps Chrome should be notified. To my limited understanding, that doesn't seem reasonable to block the page and not give a choice.

brynn

-----Original Message----- From: C R Sent: Wednesday, May 08, 2019 1:57 PM To: Inkscape User Community Cc: Brynn ; Ryan Gorley ; inkscape-devel Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

It actually broke the chat entirely in Chrome, even clicking past the warning, it still would not connect. Fyi

-C

On Tue, 7 May 2019, 23:32 Ryan Gorley via Inkscape-user, inkscape-user@lists.sourceforge.net wrote:

Understood. Had to make a call with imperfect information. Sorry for the inconvenience. I hope we can pick up the forum stuff at the meeting in a couple days.

Ryan

On 5/7/19 4:29 PM, brynn wrote: I'll have to be honest. This is just my opinion.

I don't consider an expired certificate, or whatever problem it was with the certificate, to be any kind of serious problem. I trust that the website is safe, and no serious threat will show up via untrusted certificate warning.

In my opinion, the untrusted certificate warnings are built on maximum paranoia. They truly do sound dire. But unless you are making some monetary transaction, or sharing files or info that should remain secure, they really can be ignored. Again, my opinion.

All best, brynn

-----Original Message----- From: C R Sent: Monday, May 06, 2019 8:32 AM To: Manuel Jesús Recena Soto Cc: inkscape-devel ; Inkscape User Community Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

We are heavily using this chat across all parts of the project at the moment. Do we need to worry about stability? Thanks for any advice.

-C

On Sun, 5 May 2019, 20:04 Manuel Jesús Recena Soto, mailto:recena@...155... wrote:

Hello Ryan,

If you believe this chat service is critical, I suggest you to schedule a meeting with infrastructure team in order to find a better solution.

Regards,

On Sat, May 4, 2019 at 2:02 AM Ryan Gorley via Inkscape-devel mailto:inkscape-devel@lists.sourceforge.net wrote:

Hello All, Due to the certificate error on chat.inkscape.org, some individuals may be scared away from participating in our meeting tomorrow. I'm going to keep an eye on it, but if the error isn't resolved in the next couple hours I'm going to suggest we postpone our meeting one week. I'll update everyone on the status a little later.

- Ryan

_______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel

_______________________________________________ Inkscape-user mailing list Inkscape-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-user

What about websites which have no certificate at all? You just don't use them? Those websites will never have warnings about the certificate, because they don't have one. It doesn't necessarily mean that they aren't safe sites. InkscapeForum.com is one of those, fyi.

Of course we can agree to disagree :-)

All best brynn

-----Original Message----- From: C R Sent: Thursday, May 09, 2019 7:42 AM To: Brynn Cc: Inkscape User Community ; Ryan Gorley ; inkscape-devel Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

No, I didn't. But I think it's important for visitors to our site to be able to trust the chat (especially one you have to sign up for and log into). I disagree that it's not a big deal.

-C

On Thu, 9 May 2019, 13:25 brynn, <brynn@...3089...> wrote: Wow! I wonder if that could be some security setting in Chrome? I'd have to look it up to be sure, but I think it's an option in Firefox, to not load a page with an untrusted certificate. There are just so many untrusted certificates, on entirely trustworthy sites, I disabled it. I still get the warning, but the page isn't completely blocked.

Did you set a temporary exception? At least in Firefox, I got the option to set either a temporary or permanent exception, and that fixed the chat.

Or otherwise, perhaps Chrome should be notified. To my limited understanding, that doesn't seem reasonable to block the page and not give a choice.

brynn

-----Original Message----- From: C R Sent: Wednesday, May 08, 2019 1:57 PM To: Inkscape User Community Cc: Brynn ; Ryan Gorley ; inkscape-devel Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

It actually broke the chat entirely in Chrome, even clicking past the warning, it still would not connect. Fyi

-C

On Tue, 7 May 2019, 23:32 Ryan Gorley via Inkscape-user, inkscape-user@lists.sourceforge.net wrote:

Understood. Had to make a call with imperfect information. Sorry for the inconvenience. I hope we can pick up the forum stuff at the meeting in a couple days.

Ryan

On 5/7/19 4:29 PM, brynn wrote: I'll have to be honest. This is just my opinion.

I don't consider an expired certificate, or whatever problem it was with the certificate, to be any kind of serious problem. I trust that the website is safe, and no serious threat will show up via untrusted certificate warning.

In my opinion, the untrusted certificate warnings are built on maximum paranoia. They truly do sound dire. But unless you are making some monetary transaction, or sharing files or info that should remain secure, they really can be ignored. Again, my opinion.

All best, brynn

-----Original Message----- From: C R Sent: Monday, May 06, 2019 8:32 AM To: Manuel Jesús Recena Soto Cc: inkscape-devel ; Inkscape User Community Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

We are heavily using this chat across all parts of the project at the moment. Do we need to worry about stability? Thanks for any advice.

-C

On Sun, 5 May 2019, 20:04 Manuel Jesús Recena Soto, mailto:recena@...155... wrote:

Hello Ryan,

If you believe this chat service is critical, I suggest you to schedule a meeting with infrastructure team in order to find a better solution.

Regards,

On Sat, May 4, 2019 at 2:02 AM Ryan Gorley via Inkscape-devel mailto:inkscape-devel@lists.sourceforge.net wrote:

Hello All, Due to the certificate error on chat.inkscape.org, some individuals may be scared away from participating in our meeting tomorrow. I'm going to keep an eye on it, but if the error isn't resolved in the next couple hours I'm going to suggest we postpone our meeting one week. I'll update everyone on the status a little later.

- Ryan

_______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel

_______________________________________________ Inkscape-user mailing list Inkscape-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-user

I'm just saying it's a relatively new thing to think of SSL as something that users expect of any website. A few years ago, most people never saw an untrusted certificate warning. Now they see them (and they're worded way too strongly, in my opinion) and it's like the end of the world, when just a few years ago, we never had this kind of security. We depended on our local security, rather than the website we visit.

When all websites across the internet provide SSL security, then I think we better make sure we do too. Until then, we do our best. But I don't think we need to panic, or take any kind of excessive measures. I mean, that was your original question, wasn't it, whether we need to do more? Or whether we need to worry?

I don't think we need to do either. The certificate had a problem, not the website. (Thus my concern about how the warning is worded. It leads you to think the website has a problem, when it didn't.)

At least with my own website, I haven't seen any way to be notified in advance when a problem is about to happen with a certificate. I suppose our sysadmin could look into that? But as far as I know, the sysadmin learns about it when everyone else does. Other than be notified before the certificate has a problem I don't know any non-excessive way to protect against this problem.

All best, brynn

-----Original Message----- From: C R Sent: Thursday, May 09, 2019 2:17 PM To: brynn Cc: Inkscape User Community ; Ryan Gorley ; inkscape-devel Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

If there's no login, there's no problem. Anywhere I'm entering in username and passwords, and storing stuff on a server, you better believe it should have encryption. But whether or not you think we need it, we are an official project who cares about the security of our users. We depend on mutual trust, and it looks very bad when browsers reject our invalid credentials (and rightly so).

Obviously, we want our users to trust us, and having official websites and chat services fail basic security checks destroys that confidence and trust.

So yea, big deal from my perspective. :)

-C

On Thu, May 9, 2019 at 4:43 PM brynn <brynn@...3089...> wrote: What about websites which have no certificate at all? You just don't use them? Those websites will never have warnings about the certificate, because they don't have one. It doesn't necessarily mean that they aren't safe sites. InkscapeForum.com is one of those, fyi.

Of course we can agree to disagree :-)

All best brynn

-----Original Message----- From: C R Sent: Thursday, May 09, 2019 7:42 AM To: Brynn Cc: Inkscape User Community ; Ryan Gorley ; inkscape-devel Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

No, I didn't. But I think it's important for visitors to our site to be able to trust the chat (especially one you have to sign up for and log into). I disagree that it's not a big deal.

-C

On Thu, 9 May 2019, 13:25 brynn, <brynn@...3089...> wrote: Wow! I wonder if that could be some security setting in Chrome? I'd have to look it up to be sure, but I think it's an option in Firefox, to not load a page with an untrusted certificate. There are just so many untrusted certificates, on entirely trustworthy sites, I disabled it. I still get the warning, but the page isn't completely blocked.

Did you set a temporary exception? At least in Firefox, I got the option to set either a temporary or permanent exception, and that fixed the chat.

Or otherwise, perhaps Chrome should be notified. To my limited understanding, that doesn't seem reasonable to block the page and not give a choice.

brynn

-----Original Message----- From: C R Sent: Wednesday, May 08, 2019 1:57 PM To: Inkscape User Community Cc: Brynn ; Ryan Gorley ; inkscape-devel Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

It actually broke the chat entirely in Chrome, even clicking past the warning, it still would not connect. Fyi

-C

On Tue, 7 May 2019, 23:32 Ryan Gorley via Inkscape-user, inkscape-user@lists.sourceforge.net wrote:

Understood. Had to make a call with imperfect information. Sorry for the inconvenience. I hope we can pick up the forum stuff at the meeting in a couple days.

Ryan

On 5/7/19 4:29 PM, brynn wrote: I'll have to be honest. This is just my opinion.

I don't consider an expired certificate, or whatever problem it was with the certificate, to be any kind of serious problem. I trust that the website is safe, and no serious threat will show up via untrusted certificate warning.

In my opinion, the untrusted certificate warnings are built on maximum paranoia. They truly do sound dire. But unless you are making some monetary transaction, or sharing files or info that should remain secure, they really can be ignored. Again, my opinion.

All best, brynn

-----Original Message----- From: C R Sent: Monday, May 06, 2019 8:32 AM To: Manuel Jesús Recena Soto Cc: inkscape-devel ; Inkscape User Community Subject: Re: [Inkscape-user] [Inkscape-devel] Vectors Meeting - Tomorrow - Possible Postponement

We are heavily using this chat across all parts of the project at the moment. Do we need to worry about stability? Thanks for any advice.

-C

On Sun, 5 May 2019, 20:04 Manuel Jesús Recena Soto, mailto:recena@...155... wrote:

Hello Ryan,

If you believe this chat service is critical, I suggest you to schedule a meeting with infrastructure team in order to find a better solution.

Regards,

On Sat, May 4, 2019 at 2:02 AM Ryan Gorley via Inkscape-devel mailto:inkscape-devel@lists.sourceforge.net wrote:

Hello All, Due to the certificate error on chat.inkscape.org, some individuals may be scared away from participating in our meeting tomorrow. I'm going to keep an eye on it, but if the error isn't resolved in the next couple hours I'm going to suggest we postpone our meeting one week. I'll update everyone on the status a little later.

- Ryan

_______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel

_______________________________________________ Inkscape-user mailing list Inkscape-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-user

Hi all,

On Fri, May 10, 2019 at 10:11 AM Ryan Gorley via Inkscape-user inkscape-user@lists.sourceforge.net wrote:

Offering a website connection over an encrypted HTTPS path isn't just about protecting credit card numbers or passwords anymore. Encryption protects a visitor from unwanted snooping and tampering by anyone along the worldwide network between that user's computer and the website's host. To illustrate, my ISP began injecting popup notices on my screen without my consent during casual web browsing (only on HTTP sites) when I was approaching their monthly usage limit. I'm sure they are scraping and selling every bit of information about me that they can whenever I visit and interact with an unencrypted site. No doubt the dozens of others (ISPs, employers, governments) who handle my information are doing the same. I don't think there is a great argument to be made for not offering this protection to our visitors if we can--which we do.

I have to admit that I'm not involved in what you're discussing -- I'm actually just watching the messages come in. But this thread has gone on long enough that it caught my attention and I started reading it.

I guess everyone can offer their 2 cents into this discussion. I guess encrypted HTTPS will be more and more common in the years ahead and yes, it might even become the default. Just a few years ago, I was running a WordPress-based web site with HTTPS. Everything was fine, but *one* unmaintained plugin made it impossible. (It didn't accept URLs with "https".) As time passes, HTTPS will so common that something like this won't occur. But I don't think we're there just yet... We're in some transition period and I think (as IT professionals), we have to accept that and just explain it to users. The fact is, we could have used another plugin; but we did not have the resources to write a competing plugin to get it working. I think I'd be shell-shocked if a user came up to me and said "we didn't care about them".

I guess we can argue in circles and as someone who isn't involved in all the great work you all are doing, I shouldn't say too much. But allow me to digress with an analogy. Where I am currently living, I occasionally see people wrap their fingers with a tissue before they push an elevator button. And just recently, I heard of someone who wipes their kitchen down with alcohol every evening. Now, perhaps there is one or two of you that completely agree with them; but sometimes, I wished some (medical?) professional would come in and say that the former isn't necessary unless you had an open cut on your finger (they did not). Or, s/he should say that a clean kitchen is great, but daily cleansing with an alcohol will lower one's own immunity; and that's ignoring the problem of breathing in fumes every day from disinfectant alcohol.

As for your last sentence in the paragraph above, you said, "I don't think there is a great argument ... for not offering this protection". I can think of one, but along the lines of my analogy. When I see someone hit the elevator button with a tissue-covered finger, I think to myself, "I don't think I want to hang around with someone like that." (Rest assured, they probably don't want to hang around me unless they need someone to hit the elevator buttons for them everywhere they go!)

These two stories aren't exactly the same as HTTPS, but it's what I first thought of as I skimmed over this thread. Apologies for the interruption!

Ray