Opened 13 years ago

Closed 9 years ago

Last modified 8 years ago

#275 closed enhancement (fixed)

get a https cert for osm

Reported by: steve@… Owned by: Grant Slater
Priority: major Milestone:
Component: website Version:
Keywords: Cc: StefanB, John Smith

Description

from cacert?

Change History (13)

comment:1 Changed 12 years ago by Knut Arne Bjørndal

A certificate from CAcert is easily gotten, though if you want it to expire in 24 months instead of only 6 the person managing the certificate need to be assured with quite a few points (requires finding at least a couple of assurers or trusted third parties).

I'm fully assured by CAcert, so I can either help assure somebody, or, if you want, I could make the certificate.

As of yet the CA cert is not imported in too many browsers by default, but the number of people having it preinstalled is growing (and openstreetmap would help that as well :)

comment:2 Changed 10 years ago by gerv-openstreetmap@…

Which OSM site do you think needs a cert? What would be the benefits of having it?

If you are to get one, you can get one which is also free but which doesn't cause errors in Firefox from http://www.startssl.com/ (so same price, but better compatibility), or a very cheap one which doesn't cause errors in any major browser from somewhere like http://www.godaddy.com/ (non-zero price, but excellent compatibility).

Gerv

comment:3 in reply to:  2 Changed 10 years ago by Knut Arne Bjørndal

Replying to gerv-openstreetmap@gerv.net:

Which OSM site do you think needs a cert? What would be the benefits of having it?

OSM currently transfers login details and other private content unencrypted over the internet, which is clearly not a good thing.

If you are to get one, you can get one which is also free but which doesn't cause errors in Firefox from http://www.startssl.com/ (so same price, but better compatibility), or a very cheap one which doesn't cause errors in any major browser from somewhere like http://www.godaddy.com/ (non-zero price, but excellent compatibility).

The free startssl certs seem to have some major limitations, like only one hostname per cert (and I'm fairly sure many OSM systems currently share IP addresses).

Also I think OSM should use and support cacert, they are freeing the SSL cert market in much the same way we are freeing the geodata market.

comment:4 Changed 10 years ago by StefanB

Well, it would be nice to provide the SSL alternative to security concerned people.

I'm also a CACert assurer because i believe in the idea of freeing ssl market as much as freeing geodata market. I'm using CACert certificate to provide SSL for several hostnames on same IP.

IMO it's withing OSM's principles to go for this (or other free) option than to pay verisign (or whatever) tax.

comment:5 Changed 10 years ago by StefanB

Cc: StefanB added

comment:6 Changed 10 years ago by John Smith

Cc: John Smith added

I was coding up a script the other day to batch upload GPX files and I was very surprised the only protection for the username and password was base64 encoding, which isn't protection at all since you can simply base64 decode the string.

For custom API scripts it won't matter which CA you use, since you can match explicitly or import the root cert or whatever is needed, but something is needed because anyone with access to the upstream routers for OSM can sniff all the passwords and usernames they would ever need.

I can only assume the majority of passwords would be commonly shared with other sites, while nothing can or should be done about that, protecting people while using OSM services would be a very good idea imho.

comment:7 Changed 10 years ago by John Smith

Ticket #106 asks for password encryption, but using SSL would be simpler, and resolving this bug one way or another would also effectively resolve #106

comment:8 Changed 10 years ago by StefanB

It recently came to my attention that GoDaddy? is offering free (as in beer) 1 year SSL certificates to opensource projects. Not sure if it means that after expiration next certificates are also free or not.

https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp

comment:9 Changed 10 years ago by StefanB

Also Trans-European Research and Education Networking Association is offering server certificates (issued by Comodo) to its members.

See: https://www.terena.org/activities/tcs/ http://www.terena.org/activities/scs/participants.html (It might be a bit more paperwork)

comment:10 in reply to:  9 Changed 10 years ago by mnalis-openstreetmap@…

Replying to StefanB:

Also Trans-European Research and Education Networking Association is offering server certificates (issued by Comodo) to its members.

Unless one is official member of some NREN (National Research and Education Network) which openstreetmap (it looks to me) isn't, you won't be able to able to get those TERENA certificates.

But I think choosing the issuer of certificate is minor issue - hey, I myself will buy a certificate or two for OSM if project needs them and godaddy won't give them for free - just let me know.

There are few more important issues (like, requiring time and effort and not just few bucks):

1) the openstreetmap will have to change (and document) all login vectors needed (main website HHTP login redirects, API login changes, wiki...)

2) the editing software will need to support new (HTTPS) APIs made in step 1. Or perhaps they could be better solved by implementing Oauth instead? No sense ih having them change authentication mechanism twice.

3) the SSL will put some additional CPU load on servers terminating the SSL (normally the machines running web servers themselves; but there are configurations with front-end proxys which terminate SSL themselves, reducing load on web servers). To minimize impact of that additional CPU load (if that is needed; it might not be), only authorization part should be going over SSL, so protocol in step 1 should be made in such a way.

comment:11 Changed 10 years ago by Grant Slater

Owner: changed from steve@… to Grant Slater
Priority: criticalmajor

comment:12 Changed 9 years ago by Grant Slater

Resolution: fixed
Status: newclosed

Certificate has been purchased and is undergoing testing.

comment:13 in reply to:  description Changed 8 years ago by emka

https://forum.openstreetmap.org/ is still using a self-signed certificate. Could it be changed to the new certificate?

Note: See TracTickets for help on using tickets.