Re: Community accounts and SSL
| От | Magnus Hagander |
|---|---|
| Тема | Re: Community accounts and SSL |
| Дата | |
| Msg-id | 1205359228.5803.18.camel@mha-laptop.clients.sollentuna.se обсуждение исходный текст |
| Ответ на | Re: Community accounts and SSL ("Joshua D. Drake" <jd@commandprompt.com>) |
| Ответы |
Re: Community accounts and SSL
|
| Список | pgsql-www |
On Wed, 2008-03-12 at 14:33 -0700, Joshua D. Drake wrote: > On Wed, 12 Mar 2008 17:25:11 -0400 > Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > "Joshua D. Drake" <jd@commandprompt.com> writes: > > > That is certainly one way, but do we really need that? Isn't a self > > > signed cert good enough? > > > > Self-signed certs on a public-facing website scream of amateurism. > > Every time someone visits the site, their browser will complain > > about it, and quite rightly. > > Well that isn't true. It asks once and that's it. I will admit > though that FF3 certainly makes it abundantly clear that it doesn't like > it that first time. As far as the amateurism, opinion vary :). It does not. If you click the proper button in your browser, it doesn't even let you in. If you click the second-least-improper one, it will complain every time. Only if you pick the one option you're really not supposed to pick, does it only complain once. I dunno aobut other browsers, but in firefox the "bitch again next session" is the default, and in modern IE versions, not letting you in at all is the default. Using a self-signed certificate is only secure if you somehow distribute the self-signed certificate to all clients but a different, secure, path. > > If you wanna do this, you need to pony up some cash to Verisign or > > one of the other recognized CAs. > > Well like I said, we can do that. If that is the way the community > wants to go. A 5 year wildcard cert which could be used across all > subdomains is about 500.00. Wildcard cert might be an option. I don't recall which browsers they are supported these days. It's also a potential security issue - we can't use them on something like a shared host somewhere. Perhaps one, or when we get more requirements a couple, of regular certificates is a better way to go? The free option is to use CACert. It's not included by default in any browser (I think - maybe some really new one has it), but it does have an actual statement of trust along with it. //Magnus
В списке pgsql-www по дате отправления: