Please remove me from your mailing list

Joachim Steiger roh at openmoko.org
Tue Jul 22 14:53:11 CEST 2008 

Robin Paulson wrote:
> 2008/7/20 Yorick Moko <yorickmoko at gmail.com>:
>> 1. go to https://lists.openmoko.org/mailman/options/devel
>> 2. enter your e-mail adress and password and edit the options or just
>> unsubscribe
> 
> the problem is that the security certificates on that site have
> expired, thus ff3 blocks the visit.

please see below.

> adding an exception shouldn't be necessary, and is bad practice

well.. after one understands how ssl and certificates work, one will
very soon discover that paying money for certs does not make them a bit
more secure or trustworthy.

the cert is we use is valid. its neither expired nor the wrong one on
the server.
its for sita.openmoko.org and has multiple alt-names including
lists.openmoko.org.
validity is till 2009

so all in wall we can call what ff3 does, in making users trust
preinstalled certificates and keys, extremely bad practice.

it makes people believe certs done by verisign would be more secure,
than cacert or self-build and used ca trust-chains.

since this is clearly a false assumption and the only way to more truth
is educating users about ssl and certificates (and the mafiaa which
wants to gain money from the game), i need to make this statement.

jfyi... try finding out WHY mozilla does trust verisign and not
ca-cert... the result is quite unfunny and can be described in short as
'when mozilla still was netscape4, verisign had a suitcase of money with
them to get their ca in there'.
so its not about trust, its about money. simple as that.

if you really wanna be secure, delete _all_ installed certificates from
your browser, mail the admins of a site you want to visit via gpg and
ask them for fingerprints of the ssl-certificates and decide on a
per-cert basis.

sorry if that all sounds extreme, but ff3 pissed me off gigantically
with this non-helping behavior and the lost possibility to do ssl right.

ps: for those who did not get it already, the web of trusts is broken.
it cannot be fixed. you can choose how much broken for you.
but to repair it we first need anything thats trust and not 'gave me
enough money to shut up'.

regards

-- 

Joachim Steiger
Openmoko Central Services

More information about the devel mailing list