On Thu, Feb 27, 2014 at 08:48:35PM +0000, TJ wrote: > If that is the intent then the URL I accessed should *not* be served over > HTTPS at all. [...] > Not having heard of SPI previously I wanted to verify the organisation's > authenticity. Finding what seemed like an amateurish fault on the SPI host > certificate too, my willingness to trust the CA was greatly diminished.
It's a valid point that the user experience might be clearer if both URLs were separated to be served from different IPs, or the certificate updated to include spi-inc.org & www.spi-inc.org and either HTTPS serving enabled or a redirect to HTTP installed. I'll make sure our sysadmins notice this thread. That said, from a technical perspective, the browser certificate warning occurs before the server even knows which URL you're trying to access. I realize that this is not obvious, and this perception issue is why the most high-profile sites do one of the workarounds described above. - Jimmy Kaplowitz ji...@spi-inc.org _______________________________________________ Spi-general mailing list Spi-general@lists.spi-inc.org http://lists.spi-inc.org/listinfo/spi-general
