Quantcast

Let's encrypt: is this possible?

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Let's encrypt: is this possible?

Victor Westmann
Hi guys,

I know that there is this amazing initiative out there called "Lets Encrypt" to enable a lot of sites to become HTTPS.

Quoted from their own website:

"To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the ACME protocol, which typically runs on your web host."

If I got things right, they offer a free valid certificate. I know it must probably be expensive for us to enable thsi on our side (even though would give us even more credibility as an official website for the project).

So... I was just wondering if this is doable from our perspective?
Do we have an option to enable this on our side? Is it simple (it never is), is it expensive?

https://letsencrypt.org/

Just wondering.


--Victor Westmann

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Tobias Ellinghaus
Am Freitag, 5. Mai 2017, 21:33:24 CEST schrieb Victor Westmann:

> Hi guys,
>
> I know that there is this amazing initiative out there called "Lets
> Encrypt" to enable a lot of sites to become HTTPS.
>
> Quoted from their own website:
>
> "*To enable HTTPS on your website, you need to get a certificate (a type of
> file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to
> get a certificate for your website’s domain from Let’s Encrypt, you have to
> demonstrate control over the domain. With Let’s Encrypt, you do this using
> software that uses the ACME protocol
> <https://ietf-wg-acme.github.io/acme/>, which typically runs on your web
> host.*"
>
> If I got things right, they offer a free valid certificate. I know it must
> probably be expensive for us to enable thsi on our side (even though would
> give us even more credibility as an official website for the project).
>
> So... I was just wondering if this is doable from our perspective?
> Do we have an option to enable this on our side? Is it simple (it never
> is), is it expensive?
It's not expensive and in general it's simple. I am using letsencrypt certs on
several servers already. However, inkscape.org already has an SSL cert valid
until October 2019, so for the time being there is no need to change anything.

> https://letsencrypt.org/
>
> Just wondering.
>
>
> --Victor Westmann

Tobias
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Maren Hachmann
In reply to this post by Victor Westmann
Hi Victor,

we do already use https for the inkscape.org website.

Try it: https://inkscape.org

Which other website would you like to see the Let's Encrypt certificate for?

(yes, it's easy and it's free)

Maren

Am 06.05.2017 um 06:33 schrieb Victor Westmann:

> Hi guys,
>
> I know that there is this amazing initiative out there called "Lets
> Encrypt" to enable a lot of sites to become HTTPS.
>
> Quoted from their own website:
>
> "/To enable HTTPS on your website, you need to get a certificate (a type
> of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In
> order to get a certificate for your website’s domain from Let’s Encrypt,
> you have to demonstrate control over the domain. With Let’s Encrypt, you
> do this using software that uses the ACME protocol
> <https://ietf-wg-acme.github.io/acme/>, which typically runs on your web
> host./"
>
> If I got things right, they offer a free valid certificate. I know it
> must probably be expensive for us to enable thsi on our side (even
> though would give us even more credibility as an official website for
> the project).
>
> So... I was just wondering if this is doable from our perspective?
> Do we have an option to enable this on our side? Is it simple (it never
> is), is it expensive?
>
> https://letsencrypt.org/
>
> Just wondering.
>
>
> --Victor Westmann
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Inkscape-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/inkscape-devel
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Victor Westmann

Thank you Maren and Tobias

For pointing this out. I was not so sure. Sometimes I am visiting the inkscape website and I noticed it points to the http version instead of the https one.

Great to hear this. I rest my case. :)

Victor Westmann

On May 6, 2017 8:15 AM, "Maren Hachmann" <[hidden email]> wrote:
Hi Victor,

we do already use https for the inkscape.org website.

Try it: https://inkscape.org

Which other website would you like to see the Let's Encrypt certificate for?

(yes, it's easy and it's free)

Maren

Am 06.05.2017 um 06:33 schrieb Victor Westmann:
> Hi guys,
>
> I know that there is this amazing initiative out there called "Lets
> Encrypt" to enable a lot of sites to become HTTPS.
>
> Quoted from their own website:
>
> "/To enable HTTPS on your website, you need to get a certificate (a type
> of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In
> order to get a certificate for your website’s domain from Let’s Encrypt,
> you have to demonstrate control over the domain. With Let’s Encrypt, you
> do this using software that uses the ACME protocol
> <https://ietf-wg-acme.github.io/acme/>, which typically runs on your web
> host./"
>
> If I got things right, they offer a free valid certificate. I know it
> must probably be expensive for us to enable thsi on our side (even
> though would give us even more credibility as an official website for
> the project).
>
> So... I was just wondering if this is doable from our perspective?
> Do we have an option to enable this on our side? Is it simple (it never
> is), is it expensive?
>
> https://letsencrypt.org/
>
> Just wondering.
>
>
> --Victor Westmann
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Inkscape-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/inkscape-devel
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Miguel Lopez

Is it a option to automatically redirect to https?


On 5/6/2017 1:30 PM, Victor Westmann wrote:

Thank you Maren and Tobias

For pointing this out. I was not so sure. Sometimes I am visiting the inkscape website and I noticed it points to the http version instead of the https one.

Great to hear this. I rest my case. :)

Victor Westmann

On May 6, 2017 8:15 AM, "Maren Hachmann" <[hidden email]> wrote:
Hi Victor,

we do already use https for the inkscape.org website.

Try it: https://inkscape.org

Which other website would you like to see the Let's Encrypt certificate for?

(yes, it's easy and it's free)

Maren

Am 06.05.2017 um 06:33 schrieb Victor Westmann:
> Hi guys,
>
> I know that there is this amazing initiative out there called "Lets
> Encrypt" to enable a lot of sites to become HTTPS.
>
> Quoted from their own website:
>
> "/To enable HTTPS on your website, you need to get a certificate (a type
> of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In
> order to get a certificate for your website’s domain from Let’s Encrypt,
> you have to demonstrate control over the domain. With Let’s Encrypt, you
> do this using software that uses the ACME protocol
> <https://ietf-wg-acme.github.io/acme/>, which typically runs on your web
> host./"
>
> If I got things right, they offer a free valid certificate. I know it
> must probably be expensive for us to enable thsi on our side (even
> though would give us even more credibility as an official website for
> the project).
>
> So... I was just wondering if this is doable from our perspective?
> Do we have an option to enable this on our side? Is it simple (it never
> is), is it expensive?
>
> https://letsencrypt.org/
>
> Just wondering.
>
>
> --Victor Westmann
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Inkscape-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/inkscape-devel
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Martin Owens-2
On Sat, 2017-05-06 at 17:43 +0000, Miguel Lopez wrote:
> Is it a option to automatically redirect to https?

It already does this, try and go to http://inkscape.org

> On 5/6/2017 1:30 PM, Victor Westmann wrote:
> > Thank you Maren and Tobias
> > For pointing this out. I was not so sure. Sometimes I am visiting
> > the inkscape website and I noticed it points to the http version
> > instead of the https one.
> > Great to hear this. I rest my case. :)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: Re: Let's encrypt: is this possible?

Miguel Lopez
In reply to this post by Victor Westmann

-------- Forwarded Message --------

Subject: Re: [Inkscape-devel] Let's encrypt: is this possible?
Date: Sat, 6 May 2017 13:51:36 -0400
From: Miguel Lopez [hidden email]
To: Martin Owens [hidden email]


Oh, ok. I never really paid attention to that as I rarely go there due 
to academic reasons, and I thought it didn't do this since someone 
brought this topic up. I guess all is clear now.


On 5/6/2017 1:50 PM, Martin Owens wrote:
> On Sat, 2017-05-06 at 17:43 +0000, Miguel Lopez wrote:
>> Is it a option to automatically redirect to https?
> It already does this, try and go to http://inkscape.org
>
>> On 5/6/2017 1:30 PM, Victor Westmann wrote:
>>> Thank you Maren and Tobias
>>> For pointing this out. I was not so sure. Sometimes I am visiting
>>> the inkscape website and I noticed it points to the http version
>>> instead of the https one.
>>> Great to hear this. I rest my case. :)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Martin Owens-2
In reply to this post by Martin Owens-2
On Sat, 2017-05-06 at 10:54 -0700, Victor Westmann wrote:
> When I go to inkscape.org on the chrome browser on an Android phone I
> get this message (please check file attached).
> That's why I asked. Thanks for checking this Martin.

Ah I see, there are a couple of reasons for this. Most of them as that
ssl is garbage for how many new crypto types you need to either switch
on or switch off.

So the error appears to be that one of the leafs being used in our SSL
chain (AdTrust AB) is SHA1, which is just nuts, no leaf should be using
SHA1. But this also explains why many SSL checkers I've run the site
through give it a clean bill of heath. Our Cert is fine, but AdTrust's
is out of date. :-(

Are there any volunteers to help with this problem?

Martin,

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

LucaDC
In reply to this post by Victor Westmann
Hi to all,
I've just heard about this initiative.
It seems something positive but after a first thought I couldn't help asking: why? What is the purpose to secure a public connection on which no sensitive data flow?
I've had some sporadic errors with Firefox when connecting to HTTPS sites because of expired certificates and I was only trying to connect to them coming from Google so to see their contents for the first time, which doesn't involve sending sensitive data that deserve encryption; so in those cases the useless HTTPS layer only prevented me from accessing the service.

I'm probably missing some point that makes this really interesting. Is it just a trend?

Regards.
Luca
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Daniel Mulholland
Well here's one good reason:


tl;dr: If you use http, anyone can 'man in the middle' the connection and insert almost anything. And they do.


regards

Dan


On Mon, May 8, 2017 at 8:44 PM, LucaDC <[hidden email]> wrote:
Hi to all,
I've just heard about this initiative.
It seems something positive but after a first thought I couldn't help
asking: why? What is the purpose to secure a public connection on which no
sensitive data flow?
I've had some sporadic errors with Firefox when connecting to HTTPS sites
because of expired certificates and I was only trying to connect to them
coming from Google so to see their contents for the first time, which
doesn't involve sending sensitive data that deserve encryption; so in those
cases the useless HTTPS layer only prevented me from accessing the service.

I'm probably missing some point that makes this really interesting. Is it
just a trend?

Regards.
Luca




--
View this message in context: http://inkscape.13.x6.nabble.com/Let-s-encrypt-is-this-possible-tp4979718p4979744.html
Sent from the Inkscape - Dev mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel



--

--
Private or confidential message? Public Key available here


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Tobias Ellinghaus
In reply to this post by LucaDC
Am Montag, 8. Mai 2017, 01:44:11 CEST schrieb LucaDC:

[...]

> asking: why? What is the purpose to secure a public connection on which no
> sensitive data flow?

Because it's no one's business if there is sensitive data flowing. Only
encrypting the few cases where the data is sensitive will signal everyone
listening that something is going on. Encrypting everything will make the
sensitive events be drowned in a sea of noise.

[...]

> I'm probably missing some point that makes this really interesting. Is it
> just a trend?

I hope not, it's the sane thing to do.

> Regards.
> Luca

Tobias
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Ryan Gorley
In reply to this post by Martin Owens-2
Are there any volunteers to help with this problem?

Martin, are you looking for help configuring a new cert, or with editing the Apache/NGNIX config of the current cert?


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Maren Hachmann
In reply to this post by Tobias Ellinghaus
Additional: To my understanding, there is sensitive data flowing. The
Inkscape website allows people to log in, share their email addresses
and social handles, upload Inkscape source code and binaries, as well as
Inkscape extensions and other stuff.

I sure hope that the upload forms send their data encrypted, else (to my
understanding) it wouldn't be hard to exchange the files during upload
and we could possibly distribute binaries that have been tampered with.

Maren

Am 08.05.2017 um 12:56 schrieb Tobias Ellinghaus:

> Am Montag, 8. Mai 2017, 01:44:11 CEST schrieb LucaDC:
>
> [...]
>
>> asking: why? What is the purpose to secure a public connection on which no
>> sensitive data flow?
>
> Because it's no one's business if there is sensitive data flowing. Only
> encrypting the few cases where the data is sensitive will signal everyone
> listening that something is going on. Encrypting everything will make the
> sensitive events be drowned in a sea of noise.
>
> [...]
>
>> I'm probably missing some point that makes this really interesting. Is it
>> just a trend?
>
> I hope not, it's the sane thing to do.
>
>> Regards.
>> Luca
>
> Tobias
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Inkscape-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/inkscape-devel
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

LucaDC
In reply to this post by LucaDC
Thanks Daniel, Tobias and Maren for your replies.

I see there is reason behind, but I'm still not completely convinced.
Data integrity should be guaranteed between end points through a verification mechanism, not relying on the transmission channel robustness (or absence of interference): encrypting/decrypting can be a way but a separate checksum could be just as good and it should always be the way for distributed binaries, because corruption could happen before encryption or while saving the file on the receiving computer's hard disk, after the browser has decrypted data.
The point about drowning sensitive data into a sea of noise has the weakness of providing more material for decrypters so the chance to break in may even become higher.

Surely, if today's resources make HTTPS' overhead negligible, one could say: why not? Even if it proved useless, the wasted effort would be minimal.
While legitimate, that's not exactly the way I think.

In any case, I see that this is quite a recent topic that's being discussed a lot all around.
I'm not an expert so I think I'll sit down and see as it develops.

Luca
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Maren Hachmann
Am 09.05.2017 um 13:16 schrieb LucaDC:
...
> encrypting/decrypting can be a way but a
> separate checksum could be just as good and it should always be the way for
> distributed binaries, because corruption could happen before encryption or
> while saving the file on the receiving computer's hard disk, after the
> browser has decrypted data.

- We do both. Uploads can be signed or 'checksummed' by the uploader.

Maren

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Martin Owens-2
On Tue, 2017-05-09 at 15:22 +0200, Maren Hachmann wrote:

> Am 09.05.2017 um 13:16 schrieb LucaDC:
> ...
> >
> > encrypting/decrypting can be a way but a
> > separate checksum could be just as good and it should always be the
> > way for
> > distributed binaries, because corruption could happen before
> > encryption or
> > while saving the file on the receiving computer's hard disk, after
> > the
> > browser has decrypted data.
> - We do both. Uploads can be signed or 'checksummed' by the uploader.

This checksum (md5) or preferably gnupg signature is checked by the
server and the upload is marked as verified automatically. This ensures
at least the upload is correct. For the download the user can download
the same signature or md5 and check their copy too.

Martin,

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Let's encrypt: is this possible?

Christoffer Holmstedt
Slightly off topic but TLS is a must, so many things can go wrong with unencrypted sites and the major web browser has in respective latest release started to mark all non-encrypted website with a login form as "Insecure".

SSLlabs is the go to place for all SSL/TLS tests ;)
...and for those who are really interested in the topic of SSL/TLS I recommend the book "Bulletproof SSL and TLS" as well as the newsletter at [1,2]

[1] https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
[2] https://www.feistyduck.com/bulletproof-tls-newsletter/

--
Christoffer Holmstedt

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Loading...