> These are 2 different issues and HTTP redirection is optional. Something being optional does not prevent it from having net negative effect.
> Renewing certificates is much easier with LetsEncrypt. All subdomains of > suckless are known. There are too many subdomains though imho. Nobody can remember all the subdomains, and each has to be renewed manually. That makes it too much work, and I guess if it wasn't too much work garbeam could have just done it himself, so that people depending on the security promised by your silly certs only have to trust the integrity and competence of one person. I don't think the subdomains or it's number should be changed, anything like this is just gonna break links anywhere else. The net negative effect on the community is not worth it and the suckless/dwm/wmii community has already suffered enough negative reputation from shit like this. > Wildcard implementations can be a security risk since they are more > complicated. > An example was a wildcard certificate that is NUL terminated and some CA's > and > browsers accepted a wildcard for ALL domains (in a nutshell). Browsers and SSL implementations were always broken, that doesn't make wildcards automatically bad. The NULL issue was bad enough without the wildcard problem. The real problem here is just kindergarten programming, and your argument reminds me of the usual boring goto is bad, type safety, training wheels rhetoric. If you were consistent in any way you'd just tell us not to use SSL, there are soooo many deep flaws in the stupid libraries, it's completely hopeless. > Though LetsEncrypt announced it will likely support wildcard domains in > Januari 2018. > https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html That's great. Meanwhile everybody will have to delete their subdomains, use paid-for certs or waste their time creating temporary technical solutions for automatic handling of the subdomains that are not supported by the incompetent letsencrypt people when they would be needed by potential users like you guys... >> Instead of having to trust garbeam I now have to trust third persons >> (i can't even count them), because it's too much work for garbeam to >> just make a certificate that my browser will think is ok. >> > > That's bullshit, the difference is the certificate is signed by a CA. It's > up > to you to decide to trust and use it anyway. > I trust the CA (even the incompetent letsencrypt people) more than some random mailing list user that garbeam decided to trust. At least I understand the general process of an inefficient useless company that letsencrypt is, and I know they can't efficiently harm me and all their other users in the same way suckless user will for sure do, and has done in the past (i don't mean compromises of security, but in effect making web sites completely inaccessible by their small communities). Most people that you're trying to help stay secure probably know garbeam and the others *even less* than me, so if they have to suddenly start trusting so many more random people to get any small security advantage, what should make them bother in the first place? Are you not just again completely relying on the browser distributors to decide what is right and important for the users instead of taking things in your own hands and making a difference as suckless in the webshit world? To me any engagement in this stuff is not just passive acceptance, it's active increase of suck. >> That's why I wonder why you have put all this effort to begin with. >> Who are you trying to protect who isn't already gonna use the Ubuntu >> pgp-signed packages? > > The Ubuntu package maintainers have to fetch the sources in a trusted way. > I > agree this is not solved with HTTPS. > That's why the sources could be PGP signed aswell (just an idea atm). Can they not just use the ssh access then? You could allow them to verify your ssh public key in a multitude of ways that are more secure than using ssl and honest achmed CAs. >> The people who manage to write code and compile >> it and contribute back who already have the sshd public key trusted in >> their .ssh folder? >> > > Yes, but thats the minority unfortunately. > > As usual you're not offering any solutions. But you were more constructive > than > usual. Are you feeling well, hiro? It's just that there's more stupid shit done here lately, so it overlaps with my ranting realms.
