[IMC-Tech] [www-features] about the certificates / Re: [Imc-communication] Resigning from tech work

Amy L. Dalton ald at riseup.net
Wed Mar 7 00:59:17 PST 2012 

Hi Everyone,

I wanted to reply to Petros's last note about security certificates, 
copied below and archived here:
http://lists.indymedia.org/pipermail/www-features/2012-March/0304-ry.html

I am not an expert but I think Petros might be misunderstanding the need 
for / nature of certificates. My understanding is its not an optional 
thing, we have to have some sort of security certificate enabled if we 
want to have any https traffic.

Below I am copying a general explanation that Jamie from 
MayfirstPeopleLink wrote awhile back to help me and the NYC group 
understand certificates and why they work the way they do. Its based on 
an MFPL wiki page 
(https://support.mayfirst.org/wiki/what_is_an_ssl_certificate), and he 
adapted it it to Indymedia. I'm forwarding it with his permission. Maybe 
something like this could be posted somewhere in a way that allows us to 
refer the sort of confused and frustrated people that Petros is 
interacting with to it.

----- START Explanation from Jamie, MFPL -----

Security is a two-way street. When I go to a web site I have to prove to 
the web site that it's really me before the web site gives me access to 
anything private or restricted (such as access to my email). The most 
common way that is done is via a login in which I provide a username and 
a password. Because I supply the correct password, the server knows it 
really is me, because I'm the only one who knows my password.

But how do I know that the server I'm going to really is the server I 
want to go to? Just because I type https://docs.indymedia.org/ into my 
browser, doesn't mean that the server really is the Indymedia server 
that I think it is. Any number of things can happen via the Internet 
between my computer and the server I'm connecting to that might fool my 
computer into thinking I'm connecting to docs.indymedia.org when in fact 
I'm connecting to someone else's server specifically setup to look like 
the Indymedia server. If that were to happen, I might type in my 
username and password on this stranger's server that is acting like 
docs.indymedia.org, essentially handing over my identity to a stranger.

The purpose of security certificates is to ensure that the site I'm 
connecting to really is the one run by Indymedia.

Unfortunately, the technology for setting up this system is 
fundamentally flawed.

It works like this:

  * most major browsers, even free/open source ones like Firefox, are
pre-configured to trust a pre-defined set of for-profit corporations to 
verify the identity of all web sites on the Internet.

  * web site maintainers are expected to pay $75 or so to these 
corporations in exchange for a digital certificate verifying that we are 
who we say we are.

  * once this digital certificate is installed on the web server, 
browsers will access the secure web site without any errors.

If you don't pay $75 for the certificate, then most people will get a 
security error.

There's a word for a setup like this. It's called a "racket."

Rather than play this racket, Indymedia uses cacert.org to sign it's 
security certificates. cacert is a nonprofit organization that signs 
certificates for free.

cacert is not pre-installed on most browsers, however, you can install 
it by following the directions here:

http://wiki.cacert.org/BrowserClients

If you install the cacert certificate, your browser will automatically 
trust all indymedia web sites that have been signed by cacert, so you 
will no longer get any error messages when you access them.

However, in addition, your browser will trust *all* web sites signed by 
cacert (which could be a good thing or a bad thing depending on how 
cautious you are).

----- END Explanation -----

So, this addresses the "problem" that many of us experienced for many 
years. Its actually a nice opportunity for political education!

However, my understanding is that since last summer, even this 
explanation won't completely address the problem with the global site... 
I consulted with a few people offlist before responding to this because 
I didn't want to add to the confusion. It appears that our security 
certificate for the global server has explicitly been revoked - see:
https://lists.indymedia.org/pipermail/imc-tech/2011-June/0602-g4.html

It appears that this may have taken place in conjunction with the 
conflicts in the UK group.

So, even if you import the cacert certificate to your browser (following 
the instructions below), you may still get a problem connecting to the 
site.

I'm not sure if this means that we can never again have a viable 
certificate through cacert or whether we have to purchase one from the 
racket that Jamie refers to?

Hope this is helpful,
Amy

On 3/4/12 10:03 AM, Petros Evdokas wrote:
> On 2/28/2012 10:05 PM, Garcon du Monde wrote:
>
>> the big dilemma i have been trying to face up to over the past few days
>> is what to do with the global website: it is lost, isolated, without
>> tech support. i (and a few others - i think unknowingly) have access to
>> the publish server, but as far as i know there has been no sysadmin to
>> really look after it or the primary mirror for greater than six
>> months. the site itself is broken - specifically, if you care about an
>> encrypted connection, as the certificate has not worked since all
>> indymedia certificates were revoked last year.
>
>
>
> Thank you GDM, for this update, and for reminding us of this dilemma.
>
> My experience has been that for many years people who visit indymedia
> pages write to me, or tell me in person, that "the website doesn't
> work". When I query, I find that it's always the issue of the certificates.
>
> Most people find the certificate notice that comes up to be an obstacle,
> because they don't know what to do with it. Most browsers have terrible
> and incomplete instructions on how to deal with one of those certificate
> notices, so people just give up and leave to surf elsewhere.
>
> I always feel embarrassed to explain that this certificate system is
> something we have "because of advice from our technicians", but I can't
> really explain how we arrived at this decision, and why we still persist
> on having it.
>
> Millions of websites on the internet work just fine without this
> certificate system. I would prefer that we lose whatever security or
> protection the certificate system provides, instead of continuing to
> lose and alienate our readers.
>
> Doing away with it entirely would simplify our website and would make it
> more accessible to more people.
>
> Thanks,
> Petros
> _______
> _______________________________________________
> www-features mailing list
> www-features at lists.indymedia.org
> http://lists.indymedia.org/mailman/listinfo/www-features

More information about the imc-tech mailing list