Why is Craigslist asking for me to confirm their https certificate?

[Brad Johnson]

I wanted to log into my craigslist account, so I typed
https://craigslist.com

And up comes a form saying "This connection is untrusted".
You have asked Firefox to connect securely to craigslist.com, but we
can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted
identification to prove that you are going to the right place. However,
this site's identity can't be verified.
What Should I Do?

If you usually connect to this site without problems, this error could
mean that someone is trying to impersonate the site, and you shouldn't
continue.

What should I do?

[philo]

The URL for Craigslist is


craigslist.org


Note...there is no "https"

and it's not "com" it's "org"

[Mike Easter]

philo wrote:
> Brad Johnson wrote:
>> I wanted to log into my craigslist account, so I typed
>> https://craigslist.com

Why are you typing in such an address?

As a general rule, I 'never' type an address. I either click a
favorite/bookmark or I put information into a search engine and click a
link from the search.

> The URL for Craigslist is
>
> craigslist.org
>
> Note...there is no "https"
>
> and it's not "com" it's "org"

If one simply addresses 'craigslist.com' one is auto-redirected to the
appropriate area http craigslist.org on my system.

If one uses the https on the .com, one gets the certificate warning.


--
Mike Easter

[philo]

Years ago I made a similar mistake when trying to get some information
about the government and I went to whitehouse.com rather than gov


it was a port site

[Wildman]

On Wed, 01 Jul 2015 08:35:48 -0700, Mike Easter wrote:

> philo wrote:
>> Brad Johnson wrote:
>>> I wanted to log into my craigslist account, so I typed
>>> https://craigslist.com
>
> Why are you typing in such an address?
>
> As a general rule, I 'never' type an address. I either click a
> favorite/bookmark or I put information into a search engine and click a
> link from the search.
>
>> The URL for Craigslist is
>>
>> craigslist.org
>>
>> Note...there is no "https"
>>
>> and it's not "com" it's "org"
>
> If one simply addresses 'craigslist.com' one is auto-redirected to the
> appropriate area http craigslist.org on my system.

Same here.

> If one uses the https on the .com, one gets the certificate warning.

Same here.

--
<Wildman> GNU/Linux user #557453
The cow died so I don't need your bull!

[Mike Easter]

Brad Johnson wrote:
> I wanted to log into my craigslist account,

> What should I do?

Put this in your favorites/bookmarks https://accounts.craigslist.org/login



--
Mike Easter

[William Unruh]

Was that a typo?

[Brad Johnson]

On Wed, 01 Jul 2015 10:33:23 -0700, Mike Easter wrote:

> Put this in your favorites/bookmarks
> https://accounts.craigslist.org/login

You're the ONLY one who understood that you MUST use the https
if you want to log into your account (which is what I am doing).

I'm not sure how you knew what the point was, because I think
I erroneously forgot to mention that the whole point was to
log into my account.

Normally it works like this:
1. I go to http://craiglist.org
2. I press the link to log in
3. And the certificate stuff happens automagically

Likewise, when I go to your URL, the certificate stuff happens
automagically.

So, what I don't understand is why the certificate stuff does NOT
happen automatically when I point the browser to
https://craigslist.com

When I do that, it *asks* me to accept the certificate.

Why does it NOT ask me to accept the certificate with your
URL, but it asks me to accept the certificate with my URL?

That's what I don't understand.

[Brad Johnson]

On Wed, 01 Jul 2015 04:37:17 -0500, philo wrote:

> The URL for Craigslist is
> craigslist.org
> Note...there is no "https"
> and it's not "com" it's "org"

The 'com' was a typo (but I just checked and going to craigslist.com
redirects automagically to my local craigslist.org anyway).

All craigslist logins are SSL encrypted.

It was my mistake to not explain that I wanted to avoid all non
encrypted links when I'm using VPN.

So, for example, while I'm on VPN, I go to "mail.google.com",
Google automagically puts me at an encrypted connection, which
means that the VPN doesn't even get my login name nor my login
credentials. All they get is the fact that I went to https
and then google mail.

I wanted to similary be 100% encrypted while on VPN and logging
into Craigslist. I didn't want to go to the unencrypted site
first.

My mistake for not explaining I was trying to figure out how to
be 100% SSL encrypted whenever I go anywhere while on VPN.

I want to keep as much information as I can from the VPN
provider (they don't know who I am, as they only know my IP
address - and I don't want to give them my craigslist login
nor my Gmail login nor my Bank login, etc.).

At least that's my goal. :)

[Mike Easter]

Brad Johnson wrote:
> Mike Easter wrote:
>
>> Put this in your favorites/bookmarks
>> https://accounts.craigslist.org/login
>
> You're the ONLY one who understood that you MUST use the https
> if you want to log into your account (which is what I am doing).

Well, I wouldn't say I'm the only one who understood; but we are
communicating about it here.

> I'm not sure how you knew what the point was, because I think
> I erroneously forgot to mention that the whole point was to
> log into my account.

Yes I understand.

> Normally it works like this:
> 1. I go to http://craiglist.org
> 2. I press the link to log in
> 3. And the certificate stuff happens automagically

When you land at the http and click the login, you are clicking on a
https for ORG not COM. Cert OK.

> Likewise, when I go to your URL, the certificate stuff happens
> automagically.

Correct address, cert OK.

> So, what I don't understand is why the certificate stuff does NOT
> happen automatically when I point the browser to
> https://craigslist.com

Wrong address COM, https cert NOT OK.

> When I do that, it *asks* me to accept the certificate.

But that isn't the proper solution to the problem.

> Why does it NOT ask me to accept the certificate with your
> URL, but it asks me to accept the certificate with my URL?
>
> That's what I don't understand.

For a https cert to work, the address must be OK and the cert must be
uptodate. If the site is just http, then it can handle the COM to ORG
referral without trouble. But to get to https, the ORG can't be COM.


--
Mike Easter

[Brad Johnson]

On Wed, 01 Jul 2015 14:00:16 -0700, Mike Easter wrote:

> When you land at the http and click the login, you are clicking on a
> https for ORG not COM. Cert OK.

I'm confused.

When I go to this address, it asks for me to accept the certificate:
https://craigslist.org/

When I go to this address, it does NOT ask for me to accept it:
https://accounts.craigslist.org

What's different? They're both https and then craigslist.org
(yes, I realize the "accounts" is a different "server" and somehow
that is what matters but what I'm asking is whether the certificate
that the craigslist.org is asking me to accept is legit, and
why doesn't it just do it automagically if it's legit?)

You see where I'm confused?

[Brad Johnson]

On Wed, 01 Jul 2015 08:35:48 -0700, Mike Easter wrote:

> If one uses the https on the .com, one gets the certificate warning.

It was my mistake to type the com.

Let me repeat where I'm confused (and let me explain that the goal is
to give away as little information to the VPN as possible).

If I go here, it doesn't ask for anything (it's all magic):
https://accounts.craigslist.org

But, if I go here, it asks me to accept the certificate first:
https://craigslist.org

My confusion is this:
a. They are both legitimate craigslist sites (AFAIK).
b. So, I think accepting the certificate should be fine.
c. But, why doesn't it just happen automagically?

Is it that craigslist didn't bother to "register" the second
certificate but they registered the first with my operating system?

If that's the case, would it be SAFE to simply accept the second
certificate?

[Mike Easter]

Brad Johnson wrote:
> Mike Easter wrote:
>
>> When you land at the http and click the login, you are clicking on
>> a https for ORG not COM. Cert OK.
>
> I'm confused.
>
> When I go to this address, it asks for me to accept the certificate:
> https://craigslist.org/

There is a minor syntax problem there. The certificate is for:

The certificate is only valid for *.craigslist.org

Your craigslist.org is naked, so there is no <subdomain> DOT preceding.

For example, the webserver can comfortably handle www.craigslist.org and
redirect to an <area>.craigslist.org.

> When I go to this address, it does NOT ask for me to accept it:
> https://accounts.craigslist.org

subdomain dot is 'intact'.

> You see where I'm confused?

Yes; (and/but) it is a triviality (which is making you crazy :-)


--
Mike Easter

[Wildman]

On Wed, 01 Jul 2015 21:47:24 +0000, Brad Johnson wrote:

> On Wed, 01 Jul 2015 08:35:48 -0700, Mike Easter wrote:
>
>> If one uses the https on the .com, one gets the certificate warning.
>
> It was my mistake to type the com.
>
> Let me repeat where I'm confused (and let me explain that the goal is
> to give away as little information to the VPN as possible).
>
> If I go here, it doesn't ask for anything (it's all magic):
> https://accounts.craigslist.org
>
> But, if I go here, it asks me to accept the certificate first:
> https://craigslist.org
>
> My confusion is this:
> a. They are both legitimate craigslist sites (AFAIK).

It does not look like it. See below.

> b. So, I think accepting the certificate should be fine.
> c. But, why doesn't it just happen automagically?
>
> Is it that craigslist didn't bother to "register" the second
> certificate but they registered the first with my operating system?
>
> If that's the case, would it be SAFE to simply accept the second
> certificate?

I told Firefox to accept the certificate for the one time and
here is what I got...

https://www.dropbox.com/s/u9broxuxaf0v1up/craigslist.png?dl=0

[Mike Easter]

Brad Johnson wrote:
> But, if I go here, it asks me to accept the certificate first:
> https://craigslist.org

See my other message about naked craigslist, no subdomain dot prefix.


--
Mike Easter

[Brad Johnson]

On Wed, 01 Jul 2015 21:54:56 +0000, Wildman wrote:

> I told Firefox to accept the certificate for the one time and here is
> what I got...
>
> https://www.dropbox.com/s/u9broxuxaf0v1up/craigslist.png?dl=0

Thanks for accepting the certificate because I was unsure what to
do.

It's hard to say that's definitely a legitimate web page,
but that little ascii stick figure is common when you search
for a listing on Craigslist which is no longer there.

I guess though, that what you found out was, that the site
exists, and it has SSL encryption, but it doesn't serve
any pages.

I was just trying to get to the accounts login, so, I think I'll
just change my URL to the one Mr. Easter gave me.

(This cert stuff confuses me too much. I can't think straight.)

[Mike Easter]

Wildman wrote:
> I told Firefox to accept the certificate for the one time and
> here is what I got...
>
> https://www.dropbox.com/s/u9broxuxaf0v1up/craigslist.png?dl=0

Ha! How 'craigslisty'.

Many craigslist pages are very 'ascii' looking. How appropriate to do
the 404 with a cowsay ascii graphic.

--
Mike Easter

[Richard Kettlewell]

Brad Johnson <coolg...@live.com> writes:
> Mike Easter wrote:
>> If one uses the https on the .com, one gets the certificate warning.
>
> It was my mistake to type the com.
>
> Let me repeat where I'm confused (and let me explain that the goal is
> to give away as little information to the VPN as possible).
>
> If I go here, it doesn't ask for anything (it's all magic):
> https://accounts.craigslist.org
>
> But, if I go here, it asks me to accept the certificate first:
> https://craigslist.org
>
> My confusion is this:
> a. They are both legitimate craigslist sites (AFAIK).
> b. So, I think accepting the certificate should be fine.
> c. But, why doesn't it just happen automagically?

I’ve no idea why you’d believe the above. I suspect you’ve
misunderstood what https actually does.

> Is it that craigslist didn't bother to "register" the second
> certificate but they registered the first with my operating system?

I don’t think you’ve posted enough information for anyone to say much
about what the problem is. You can probably get your browser to show
you the certificate it’s having trouble with and, possibly, to describe
what it thinks is wrong with it.

--
http://www.greenend.org.uk/rjk/

[David W. Hodgins]

On Wed, 01 Jul 2015 16:44:38 -0400, Brad Johnson <coolg...@live.com> wrote:

> So, what I don't understand is why the certificate stuff does NOT
> happen automatically when I point the browser to
> https://craigslist.com

The certificate is only valid for craigslist.org, so when using
craigslist.com, the server name does not match the certificate name.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

[Brad Johnson]

On Wed, 01 Jul 2015 18:18:09 -0400, David W. Hodgins wrote:

> The certificate is only valid for craigslist.org, so when using
> craigslist.com, the server name does not match the certificate name.

It was a typo that I hit craigslist.com, as craigslist.org
does the same thing when preceeded by https.

[Mike Easter]

Brad Johnson wrote:

> It was a typo that I hit craigslist.com, as craigslist.org
> does the same thing when preceeded by https.
>

Different but similar reasons.

COM is wrong because it isn't ORG (and it also is naked, but the big
deal is the COM; even if it weren't naked COM wouldn't work).

The ORG one is 'barely' wrong because it has a tiny problem with its
syntax in that it is naked instead of prefaced by a <subdomain>DOT.

--
Mike Easter

[Brad Johnson]

On Wed, 01 Jul 2015 15:53:55 -0700, Mike Easter wrote:

> COM is wrong because it isn't ORG (and it also is naked, but the big
> deal is the COM; even if it weren't naked COM wouldn't work).
>
> The ORG one is 'barely' wrong because it has a tiny problem with its
> syntax in that it is naked instead of prefaced by a <subdomain>DOT.

I read it (and, your other post), but, I'm missing something in
the logic (so I'll re read your other post again).

[Mike Easter]

Here's the certificate rule:

The certificate is only valid for *.craigslist.org

See the asterisk and especially the dot?

craigslist.org doesn't fit that rule. No dot, no content to fit the
wildcard space. Even if the wildcard could be nothing instead of
anything, there's still a missing dot.

--
Mike Easter

[Brad Johnson]

On Wed, 01 Jul 2015 20:30:52 -0700, Mike Easter wrote:

> Here's the certificate rule:
>
> The certificate is only valid for *.craigslist.org
>
> See the asterisk and especially the dot?
>
> craigslist.org doesn't fit that rule. No dot, no content to fit the
> wildcard space. Even if the wildcard could be nothing instead of
> anything, there's still a missing dot.

Wow. That's subtle.

I get the regular expression of an asterisk meaning 0 or more of the
character, so, that makes the dot the critical factor.

So, what you're saying is that the *registered* certificate (the one that
is already on my computer from the browser or operating system company,
only fits *.craigslist.org

I guess that means "craigslist.org" (no dot, in particular), *has*
a certificate, but, I don't have the matching certificate already on
my computer.

Is that why I get the certificate challenge with "craigslist.org"?

[William Unruh]

Because teh signing authority for craigslist.com is not inyour browser
while that for craigslist.org is?

[William Unruh]

There is a cert for craigslist.com as well. But it is either expired ( I
think your browser would say that) or the signing authority for it is
not the list shipped with your browser. Browsers come with a set of
signing authorities built in. If the signing authority isnot in that
list, the browser has no way of knowing tha that is a olgitimate SSL
key.

[Michael Baeuerle]

Brad Johnson wrote:
> On Wed, 01 Jul 2015 20:30:52 -0700, Mike Easter wrote:
> >
> > Here's the certificate rule:
> >
> > The certificate is only valid for *.craigslist.org
> >
> > See the asterisk and especially the dot?
> >
> > craigslist.org doesn't fit that rule. No dot, no content to fit the
> > wildcard space. Even if the wildcard could be nothing instead of
> > anything, there's still a missing dot.
>
> Wow. That's subtle.
>
> I get the regular expression of an asterisk meaning 0 or more of the
> character, so, that makes the dot the critical factor.

For HTTPS the semantics are defined by [1] as:
|
| [...] Names may contain the wildcard
| character * which is considered to match any single domain name
| component or component fragment. [...]

In this case the asterisk means "anything" (except "nothing" as I read
it) and the dot has literal semantics.

This is different from common regular expression semantics for ".*"
(where the dot means "any character" and the asterisk means "repeated
zero or any number of times").

_________________
[1] <https://tools.ietf.org/html/rfc2818#section-3.1>

[Brad Johnson]

On Thu, 02 Jul 2015 10:51:20 +0000, Michael Baeuerle wrote:

> This is different from common regular expression semantics for ".*"
> (where the dot means "any character" and the asterisk means "repeated
> zero or any number of times")

Thanks for reminding me. So I should NOT have used the word
regular expressions, because the twp characters (*) & (.) don't
mean the same thing in this case.

Thanks.

[William Unruh]

But it is the same as file globbing.
ls *.*
lists all file with a . in them.

[Michael Baeuerle]

No, it is again different.

> ls *.*
> lists all file with a . in them.

Yes, but it also lists files with multiple dots in the name:
|
| $ touch bla.example.org
| $ ls -l *.*
| -rw-r--r-- 1 baeuerle users 0 Jul 2 17:10 bla.example.org

For POSIX compliant shells this is defined in [3] as:
|
| The asterisk ( '*' ) is a pattern that shall match any string,
| including the null string.

Comparing this to domain name wildcard matching, the first rule from [1]
is that there is no common rule:
|
| Finally, the semantics of subject alternative names that include
| wildcard characters (e.g., as a placeholder for a set of names) are
| not addressed by this specification. Applications with specific
| requirements MAY use such names, but they must define the semantics.

In other words: What a domain name with asterisk inside a X.509
certificate mean depends on the protocol that is stacked on top of TLS.
For HTTPS it is defined in [2] like this:

|
| [...] Names may contain the wildcard
| character * which is considered to match any single domain name

| component or component fragment. E.g., *.a.com matches foo.a.com but
| not bar.foo.a.com. f*.com matches foo.com but not bar.com.
^^^^^^^^^^^^^^^^^
The filename matching of a POSIX shell is not compliant to this
definition:
|
| $ touch foo.a.com
| $ touch bar.foo.a.com
| $ ls -l *.a.com
| -rw-r--r-- 1 baeuerle users 0 Jul 2 17:26 bar.foo.a.com
| -rw-r--r-- 1 baeuerle users 0 Jul 2 17:26 foo.a.com


_________________________
[1] <https://tools.ietf.org/html/rfc5280#section-4.2.1.6>
[2] <https://tools.ietf.org/html/rfc2818#section-3.1>
[3] <http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_13_02>

[Michael Baeuerle]

No, it is again different.

> ls *.*
> lists all file with a . in them.

Yes, but it also lists files with multiple dots in the name:
|
| $ touch bla.example.org
| $ ls -l *.*
| -rw-r--r-- 1 baeuerle users 0 Jul 2 17:10 bla.example.org

For POSIX compliant shells this is defined in [3] as:
|
| The asterisk ( '*' ) is a pattern that shall match any string,
| including the null string.

Comparing this to domain name wildcard matching, the first rule from [2]

is that there is no common rule:
|
| Finally, the semantics of subject alternative names that include
| wildcard characters (e.g., as a placeholder for a set of names) are
| not addressed by this specification. Applications with specific
| requirements MAY use such names, but they must define the semantics.

In other words: What a domain name with asterisk inside a X.509

certificate (Supersede: More precise: In the "subjectAltName" field)

mean depends on the protocol that is stacked on top of TLS.

For HTTPS it is defined in [1] like this:

|
| [...] Names may contain the wildcard
| character * which is considered to match any single domain name

| component or component fragment. E.g., *.a.com matches foo.a.com but
| not bar.foo.a.com. f*.com matches foo.com but not bar.com.
^^^^^^^^^^^^^^^^^
The filename matching of a POSIX shell is not compliant to this
definition:
|
| $ touch foo.a.com
| $ touch bar.foo.a.com
| $ ls -l *.a.com
| -rw-r--r-- 1 baeuerle users 0 Jul 2 17:26 bar.foo.a.com
| -rw-r--r-- 1 baeuerle users 0 Jul 2 17:26 foo.a.com


_________________________

Supersede: Reordered the IDs to match the references of the quoted text
[1] <https://tools.ietf.org/html/rfc2818#section-3.1>
[2] <https://tools.ietf.org/html/rfc5280#section-4.2.1.6>
[3] <http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_13_02>

[David W. Hodgins]

https://craigslist.org still doesn't match the certificate name.
https://www.craigslist.org does match, though I then get redirected
to http://londonon.craigslist.ca/ which has the same problem if I
change it to https. Whoever set up their certificates doesn't seem
to understand how they should work.

[Brad Johnson]

On Thu, 02 Jul 2015 18:32:21 -0400, David W. Hodgins wrote:

> https://craigslist.org still doesn't match the certificate name.
> https://www.craigslist.org does match, though I then get redirected
> to http://londonon.craigslist.ca/ which has the same problem if I
> change it to https. Whoever set up their certificates doesn't seem
> to understand how they should work.

Thank you for testing that, as I see the same thing, and, in fact,
I didn't tell you the little detail that it localizes you (in your
case, to London) as part of the redirect.

The reason it mattered to me was really two fold:
1. I never understand what to do when these requests to accept
certificates come up.
2. I don't want to give the VPN provider any more information
than they need.

On that second issue, say I wanted to log into my account, and
I started up a public VPN server and I needed to type in a
location (I don't use browser history).

1. I "could" type http://londonon.craigslist.ca/, and then
2. I could click on the "login" link,
3. Which would then take me to an https
4. Which then handles the certificate stuff automagically.

But, look at that sequence.
Notice I'm telling the VPN provider that I live near London.
I don't want to tell them that if I don't have to.

So, I was hoping that by typing https://londonon.craigslist.ca,
that I could *hide* a bit of data from the VPN.

Thinking about it all now, I think Mike Easter's suggestion of
just learning the https://accounts.craigslist.org/login URL
is probably the best way to accomplish that though (since
I have no history nor bookmarks for strategic privacy reasons).

But I only realized that from Mike's message.

[Brad Johnson]

On Thu, 02 Jul 2015 22:51:30 +0000, Brad Johnson wrote:

> But, look at that sequence.
> Notice I'm telling the VPN provider that I live near London.
> I don't want to tell them that if I don't have to.

I should have also mentioned the little detail that I'm
on VPN, so, I often have to type the location, because
otherwise I get something in French or Spanish or German,
etc., none of which I understand, because Craigslist
thinks I'm somewhere else when I'm on VPN.

But I don't want to give the VPN provider my location.
So that's why this all started.

[Mike Easter]

Brad Johnson wrote:
> But I don't want to give the VPN provider my location.
> So that's why this all started.

Those who want strong privacy considerations have to learn how to employ
a lot more network tech (than those who care less).

Those who want strong firewalls do too.

--
Mike Easter

[David W. Hodgins]

On Thu, 02 Jul 2015 05:22:43 -0400, William Unruh <un...@invalid.ca> wrote:

> Because teh signing authority for craigslist.com is not inyour browser
> while that for craigslist.org is?

No. It's because all of the cragslist hosts use a certificate that is
only valid for *.craigslist.org. So https://craigslist.org doesn't
match, but https://anything.craigslist.org will match.

It's nothing to do with the certificate chain. It's simply incompetence
by whoever set up the certificate, or they are too cheap to buy multiple
certificates.

[Mike Easter]

David W. Hodgins wrote:
> or they are too cheap to buy multiple certificates.

I understand the concept behind *.craigslist.org; the assumption being
that there was no need for craigslist.org.

What's wrong with that assumption?


--
Mike Easter

[David W. Hodgins]

It means the certificate is not valid for sites like
https://londonon.craigslist.ca/ which https://www.craigslist.org
redirects to, based on the geolocation associated with the public
ip address being used.

[David W. Hodgins]

On Thu, 02 Jul 2015 18:51:30 -0400, Brad Johnson <coolg...@live.com> wrote:

> 1. I "could" type http://londonon.craigslist.ca/, and then

> But, look at that sequence.
> Notice I'm telling the VPN provider that I live near London.

Looking at the url, I thought I'd made a typo, but it is actually
short for London, Ontario, Canada.

If you're near one of the other cities called London, then it's
actually good misdirection. I am in London, Ontario, Canada.
There are other cities called London. The one in England, the one
in Kentucky U.S.A, and several others.

[Richard Kettlewell]

Brad Johnson <coolg...@live.com> writes:
> But, look at that sequence.
> Notice I'm telling the VPN provider that I live near London.
> I don't want to tell them that if I don't have to.

The chances are that your VPN provider already knows perfectly well
where you are (in the sense that they can look up your real IP address
into a geolocation database and see what pops out).

--
http://www.greenend.org.uk/rjk/

[Mike Easter]

David W. Hodgins wrote:

> Mike Easter wrote:
>> David W. Hodgins wrote:
>>> or they are too cheap to buy multiple certificates.
>
>> I understand the concept behind *.craigslist.org; the assumption being
>> that there was no need for craigslist.org.
>> What's wrong with that assumption?
>
> It means the certificate is not valid for sites like
> https://londonon.craigslist.ca/ which https://www.craigslist.org
> redirects to, based on the geolocation associated with the public
> ip address being used.
>

I don't see that happening.

If I go to the http site for londonon and click the My Account function,
the link is for an https for accounts.craigslist.org

That is, as I see it happening, there is not a need for the .ca
certificate 'created' by craigslist. It only seems so if the user is
typing in addresses which craigslist never intended.


--
Mike Easter