Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Darcs - unsecure website?

2 views
Skip to first unread message

ssecorp

unread,
Aug 10, 2008, 3:10:06 AM8/10/08
to
I am trying to download darcs but Firefox says the site has an expired
certificate and can't be trusted.

Is there a darcs mailing list?


sorry if this is unappropriate here but it is written is haskell...

Secure Connection Failed

zooko.com uses an invalid security certificate.

The certificate is not trusted because it is self signed.
The certificate expired on 2007-08-16 20:11.

(Error code: sec_error_expired_issuer_certificate)


* This could be a problem with the server's configuration, or it
could be someone trying to impersonate the server.

* If you have connected to this server successfully in the past,
the error may be temporary, and you can try again later.

Or you can add an exception…


You should not add an exception if you are using an internet
connection that you do not trust completely or if you are not used to
seeing a warning for this server.

Mark T.B. Carroll

unread,
Aug 10, 2008, 11:27:41 AM8/10/08
to
ssecorp <circul...@gmail.com> writes:

> I am trying to download darcs but Firefox says the site has an expired
> certificate and can't be trusted.
>
> Is there a darcs mailing list?

It's very easy to find with Google.
http://lists.osuosl.org/mailman/listinfo/darcs-users

> sorry if this is unappropriate here but it is written is haskell...

(snip)


> The certificate is not trusted because it is self signed.
> The certificate expired on 2007-08-16 20:11.
>
> (Error code: sec_error_expired_issuer_certificate)

(snip)

I would expect it's fine. Many people self-sign their certificates; the
alternative tends to involve money and bureaucracy. If you are feeling
paranoid then what you could do is ask what the md5sum of the downloaded
file should be and check that the one you download does indeed have the
same md5sum.

Mark

Paul Rubin

unread,
Aug 10, 2008, 12:03:08 PM8/10/08
to
"Mark T.B. Carroll" <Mark.C...@Aetion.com> writes:
> I would expect it's fine. Many people self-sign their certificates; the
> alternative tends to involve money and bureaucracy. If you are feeling
> paranoid then what you could do is ask what the md5sum of the downloaded
> file should be and check that the one you download does indeed have the
> same md5sum.

Ask who?

Mark T.B. Carroll

unread,
Aug 10, 2008, 12:12:07 PM8/10/08
to

I suppose the author or packager of the software might be a good start,
or the site admin or something, though if you were worried that the
entire domain had been hijacked then you might want to find some way to
contact them that didn't rely on it! Probably I'd just post on one of
the mailing lists TBH; if enough people do, they'll arrange separate
routine publication of the checksum. With darcs I normally just get the
Debian package anyway and I already have the signing keys for their
repositories in my keyring already, so from my point of view the answer
is to not rely on web server certificates in the first place. (-:

Mark

0 new messages