Please rebuild all ports that depend on PNG
David Wood
david at wood2.org.uk
Sat Jun 2 21:08:11 UTC 2012
Dear all,
In message <20120602140703.004264ea at scorpio>, Jerry
<jerry at seibercom.net> writes
>IMHO, if you are going to use "https" then you should have a proper SSL
>certificate. A self-signed one means virtually nothing. If the web site
>operator is not going to purchase an authentic certificate they why use
>SSL at all? Just my 2¢ on the matter.
I'm in agreement with Jerry - unless you're going to use a PKI
certificate, there's really no point in using SSL. With the default
security settings in Firefox, using a web site whose certificate does
not chain to a trusted root involves jumping through several hoops. This
reflects that SSL is about more than end-to-end encryption.
StartSSL - https://www.startssl.com - offers DV certificates with 1 year
validity free of charge so long as you supply some basic identity
details and have the necessary control over the domain in which you want
a server certificate issued. These are not trial certificates and don't
involve a load of marketing - it is regular product for StartSSL with a
zero price tag.
For a relatively small fee, which pays for the cost of some basic
identity checking, you can issue as many IV certificates with 2 year
validity as you want for a 350 day period on domains and e-mail
addresses that you control. This option allows multiple DNS names in one
server certificate, wildcard server certificates and code signing
certificates (albeit encumbered with an OID that means the signatures on
Microsoft operating systems expire at the same time as the certificate,
even if the signature is timestamped).
The StartSSL root is in most major root bundles.
I have no connection with StartSSL, StartCom or Eddy Nigg other than as
a satisfied customer.
Of course, as Kevin Oberman notes, the public PKI is not perfect. A DV
(Domain Validated) certificate merely says that at one moment in time,
you had access to a 'privileged' e-mail address (postmaster@, webmaster@
or hostmaster@) - nothing more. Still, as it costs nothing to get a
certificate chained to a trusted root with about five minutes' of
effort, I see no reason not to do so. At this price, it is affordable to
use 'real' certificates for test sites on throw-away subdomains.
With best wishes to you all,
David
--
David Wood
david at wood2.org.uk
More information about the freebsd-ports
mailing list