wiki upgrade

[Mark Foster (Free Geek Seattle)]

Hi everyone. This morning I upgraded our mediawiki software to the
latest (1.22.7) for freegeekseattle.org. I also changed to a newer logo
and setup SSL under https://freegeekseattle.org/

The certificate was issued by CAcert.org, and since it may not be
preloaded as a trusted Certificate Authority (CA) in your particular
browser. If you get certificate warnings please follow these instructions.

Go to http://www.CAcert.org
Click on Root Certificate (right-hand side)
Click on both these links and Import into your certificate store
Class 1 PKI Key PEM Format
Class 3 PKI Key PEM Format

I believe both are needed.

Afterwards, https://freegeekseattle.org/wiki/index.php/Main_Page
should show an unbroken Lock icon in your browser.
(See attachment)

Any issues or concerns regarding this or future changes can be addressed
to webm...@freegeekseattle.org, or discussed on the mailing list.

[Boxcutter729]

Awesome. I'm going to keep working on the content as I have time.

[ted....@gmail.com]

Wait, so every user visiting our Wiki will have to go through these steps? I don't know about you guys, but I usually back out of any site where Google warns me of a security problem.

On Friday, May 30, 2014 9:46:51 AM UTC-7, Mark Foster wrote:

[Andrew Kane]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/31/2014 01:07 PM, ted....@gmail.com wrote:
> Wait, so every user visiting our Wiki will have to go through these
> steps?

No, just people using browsers that don't already trust CACert. That's
Debian users running Iceweasel, anyone running dillo or Midori IIRC,
but no one running regular Firefox or Chrome should be affected.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQEcBAEBAgAGBQJTikhpAAoJEAa852fG4/6BqasIAJXNtNlWhJAlYevW/OL2zPkJ
+HmpjJrz3fCACbsSwcCr6B0Kgyv3sxR37mlMKzt6bkz546QKdYMpWlqHeJX+A/CV
Izflp3TMjZc/oP/Mhe6yPc+db59K55ecz4hmRBvbHdqi2017GYCHDGGhawPuauyE
Jd+Uu720bkRBD3G4P1/nmP0aitxgdMKm8XUoWqvQoS2TWM1w67bPso9reD6K9Wk+
8QETQIOedPNpkruE5HdVDst25Duk+kPH0KVgPL61V4ej4SN2iFEXgoQNe0a5BRw5
TEsUHu/+qJm3IWd++lG9Q/aC7mJSQmrs6usmntS9HCQipp5Z0VkUyQ66SgpCRZg=
=YYZi
-----END PGP SIGNATURE-----

[Alex Jordan]

On May 30, 2014 9:46 AM, "Mark Foster (Free Geek Seattle)" <mfo...@freegeekseattle.org> wrote:
> Afterwards, https://freegeekseattle.org/wiki/index.php/Main_Page
> should show an unbroken Lock icon in your browser.

And if it doesn't, you've been MITM'd or something is corrupt. Get rid of that root cert ASAP.

[Mark Foster]

Cacert is a reputable CA, but I concede this is a bit of a pain and certainly not appropriate for casual visitors to be subjected to.

I can suggest the following compromise: we can leave the http (non-secure) site as the default but encourage the use of https for those that are use logins regularly.

--
You received this message because you are subscribed to the Google Groups "freegeek-seattle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to freegeek-seatt...@googlegroups.com.
To post to this group, send email to freegeek...@googlegroups.com.
Visit this group at http://groups.google.com/group/freegeek-seattle.

[Finn Herzfeld]

Why not go with a CA that is trusted by most browsers? CA cert is sketch as hell.

[Dan Ryan]

Hey Mark,

I like CAcert, but using their certs makes our website appear untrusted in chrome, Firefox and Internet Explorer on 99+% of our users computers, including the xubuntu computers we build. Could we please switch to Startcom or another SSL provider?

Thanks,
Dan

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[Mark Foster]

I have reverted the change for now.

plan is to buy a cert from a CA that browsers trust. it costs money we don't have right now, or are there free alternatives to cacert?

Thanks!

[Finn]

StartCom is free. They signed seattlemesh.net, my personal sites, etc. Hit me up on irc if you want tech support with that, I've done it many a time