[IMC-Tech] [www-features] about the certificates / Re: [Imc-communication] Resigning from tech work
Amy L. Dalton
ald at riseup.net
Wed Mar 7 00:59:17 PST 2012
I wanted to reply to Petros's last note about security certificates,
copied below and archived here:
I am not an expert but I think Petros might be misunderstanding the need
for / nature of certificates. My understanding is its not an optional
thing, we have to have some sort of security certificate enabled if we
want to have any https traffic.
Below I am copying a general explanation that Jamie from
MayfirstPeopleLink wrote awhile back to help me and the NYC group
understand certificates and why they work the way they do. Its based on
an MFPL wiki page
(https://support.mayfirst.org/wiki/what_is_an_ssl_certificate), and he
adapted it it to Indymedia. I'm forwarding it with his permission. Maybe
something like this could be posted somewhere in a way that allows us to
refer the sort of confused and frustrated people that Petros is
interacting with to it.
----- START Explanation from Jamie, MFPL -----
Security is a two-way street. When I go to a web site I have to prove to
the web site that it's really me before the web site gives me access to
anything private or restricted (such as access to my email). The most
common way that is done is via a login in which I provide a username and
a password. Because I supply the correct password, the server knows it
really is me, because I'm the only one who knows my password.
But how do I know that the server I'm going to really is the server I
want to go to? Just because I type https://docs.indymedia.org/ into my
browser, doesn't mean that the server really is the Indymedia server
that I think it is. Any number of things can happen via the Internet
between my computer and the server I'm connecting to that might fool my
computer into thinking I'm connecting to docs.indymedia.org when in fact
I'm connecting to someone else's server specifically setup to look like
the Indymedia server. If that were to happen, I might type in my
username and password on this stranger's server that is acting like
docs.indymedia.org, essentially handing over my identity to a stranger.
The purpose of security certificates is to ensure that the site I'm
connecting to really is the one run by Indymedia.
Unfortunately, the technology for setting up this system is
It works like this:
* most major browsers, even free/open source ones like Firefox, are
pre-configured to trust a pre-defined set of for-profit corporations to
verify the identity of all web sites on the Internet.
* web site maintainers are expected to pay $75 or so to these
corporations in exchange for a digital certificate verifying that we are
who we say we are.
* once this digital certificate is installed on the web server,
browsers will access the secure web site without any errors.
If you don't pay $75 for the certificate, then most people will get a
There's a word for a setup like this. It's called a "racket."
Rather than play this racket, Indymedia uses cacert.org to sign it's
security certificates. cacert is a nonprofit organization that signs
certificates for free.
cacert is not pre-installed on most browsers, however, you can install
it by following the directions here:
If you install the cacert certificate, your browser will automatically
trust all indymedia web sites that have been signed by cacert, so you
will no longer get any error messages when you access them.
However, in addition, your browser will trust *all* web sites signed by
cacert (which could be a good thing or a bad thing depending on how
cautious you are).
----- END Explanation -----
So, this addresses the "problem" that many of us experienced for many
years. Its actually a nice opportunity for political education!
However, my understanding is that since last summer, even this
explanation won't completely address the problem with the global site...
I consulted with a few people offlist before responding to this because
I didn't want to add to the confusion. It appears that our security
certificate for the global server has explicitly been revoked - see:
It appears that this may have taken place in conjunction with the
conflicts in the UK group.
So, even if you import the cacert certificate to your browser (following
the instructions below), you may still get a problem connecting to the
I'm not sure if this means that we can never again have a viable
certificate through cacert or whether we have to purchase one from the
racket that Jamie refers to?
Hope this is helpful,
On 3/4/12 10:03 AM, Petros Evdokas wrote:
> On 2/28/2012 10:05 PM, Garcon du Monde wrote:
>> the big dilemma i have been trying to face up to over the past few days
>> is what to do with the global website: it is lost, isolated, without
>> tech support. i (and a few others - i think unknowingly) have access to
>> the publish server, but as far as i know there has been no sysadmin to
>> really look after it or the primary mirror for greater than six
>> months. the site itself is broken - specifically, if you care about an
>> encrypted connection, as the certificate has not worked since all
>> indymedia certificates were revoked last year.
> Thank you GDM, for this update, and for reminding us of this dilemma.
> My experience has been that for many years people who visit indymedia
> pages write to me, or tell me in person, that "the website doesn't
> work". When I query, I find that it's always the issue of the certificates.
> Most people find the certificate notice that comes up to be an obstacle,
> because they don't know what to do with it. Most browsers have terrible
> and incomplete instructions on how to deal with one of those certificate
> notices, so people just give up and leave to surf elsewhere.
> I always feel embarrassed to explain that this certificate system is
> something we have "because of advice from our technicians", but I can't
> really explain how we arrived at this decision, and why we still persist
> on having it.
> Millions of websites on the internet work just fine without this
> certificate system. I would prefer that we lose whatever security or
> protection the certificate system provides, instead of continuing to
> lose and alienate our readers.
> Doing away with it entirely would simplify our website and would make it
> more accessible to more people.
> www-features mailing list
> www-features at lists.indymedia.org
More information about the imc-tech