Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

get a https cert for osm #275

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 11 comments
Closed

get a https cert for osm #275

openstreetmap-trac opened this issue Jul 23, 2021 · 11 comments

Comments

@openstreetmap-trac
Copy link

Reporter: steve[at]fractalus.com
[Submitted to the original trac issue database at 11.23am, Tuesday, 31st October 2006]

from cacert?

@openstreetmap-trac
Copy link
Author

Author: bob[at]cakebox.net
[Added to the original trac issue at 4.54pm, Monday, 23rd April 2007]

A certificate from CAcert is easily gotten, though if you want it to expire in 24 months instead of only 6 the person managing the certificate need to be assured with quite a few points (requires finding at least a couple of assurers or trusted third parties).

I'm fully assured by CAcert, so I can either help assure somebody, or, if you want, I could make the certificate.

As of yet the CA cert is not imported in too many browsers by default, but the number of people having it preinstalled is growing (and openstreetmap would help that as well :)

@openstreetmap-trac
Copy link
Author

Author: gerv-openstreetmap[at]gerv.net
[Added to the original trac issue at 11.44pm, Monday, 26th January 2009]

Which OSM site do you think needs a cert? What would be the benefits of having it?

If you are to get one, you can get one which is also free but which doesn't cause errors in Firefox from http://www.startssl.com/ (so same price, but better compatibility), or a very cheap one which doesn't cause errors in any major browser from somewhere like http://www.godaddy.com/ (non-zero price, but excellent compatibility).

Gerv

@openstreetmap-trac
Copy link
Author

Author: bob[at]cakebox.net
[Added to the original trac issue at 11.59pm, Monday, 26th January 2009]

Replying to [comment:2 gerv-openstreetmap[at]gerv.net]:

Which OSM site do you think needs a cert? What would be the benefits of having it?

OSM currently transfers login details and other private content unencrypted over the internet, which is clearly not a good thing.

If you are to get one, you can get one which is also free but which doesn't cause errors in Firefox from http://www.startssl.com/ (so same price, but better compatibility), or a very cheap one which doesn't cause errors in any major browser from somewhere like http://www.godaddy.com/ (non-zero price, but excellent compatibility).

The free startssl certs seem to have some major limitations, like only one hostname per cert (and I'm fairly sure many OSM systems currently share IP addresses).

Also I think OSM should use and support cacert, they are freeing the SSL cert market in much the same way we are freeing the geodata market.

@openstreetmap-trac
Copy link
Author

Author: StefanB
[Added to the original trac issue at 8.18am, Saturday, 13th June 2009]

Well, it would be nice to provide the SSL alternative to security concerned people.

I'm also a CACert assurer because i believe in the idea of freeing ssl market as much as freeing geodata market. I'm using CACert certificate to provide SSL for several hostnames on same IP.

IMO it's withing OSM's principles to go for this (or other free) option than to pay verisign (or whatever) tax.

@openstreetmap-trac
Copy link
Author

Author: delta_foxtrot2
[Added to the original trac issue at 9.07am, Sunday, 21st June 2009]

I was coding up a script the other day to batch upload GPX files and I was very surprised the only protection for the username and password was base64 encoding, which isn't protection at all since you can simply base64 decode the string.

For custom API scripts it won't matter which CA you use, since you can match explicitly or import the root cert or whatever is needed, but something is needed because anyone with access to the upstream routers for OSM can sniff all the passwords and usernames they would ever need.

I can only assume the majority of passwords would be commonly shared with other sites, while nothing can or should be done about that, protecting people while using OSM services would be a very good idea imho.

@openstreetmap-trac
Copy link
Author

Author: delta_foxtrot2
[Added to the original trac issue at 10.16am, Sunday, 21st June 2009]

Ticket #106 asks for password encryption, but using SSL would be simpler, and resolving this bug one way or another would also effectively resolve #106

@openstreetmap-trac
Copy link
Author

Author: StefanB
[Added to the original trac issue at 12.35pm, Thursday, 24th September 2009]

It recently came to my attention that GoDaddy is offering free (as in beer) 1 year SSL certificates to opensource projects. Not sure if it means that after expiration next certificates are also free or not.

https://www.godaddy.com/gdshop/ssl/ssl_opensource.asp

@openstreetmap-trac
Copy link
Author

Author: StefanB
[Added to the original trac issue at 11.37am, Thursday, 1st October 2009]

Also Trans-European Research and Education Networking Association is offering server certificates (issued by Comodo) to its members.

See:
https://www.terena.org/activities/tcs/
http://www.terena.org/activities/scs/participants.html
(It might be a bit more paperwork)

@openstreetmap-trac
Copy link
Author

Author: mnalis-openstreetmap[at]voyager.hr
[Added to the original trac issue at 1.46pm, Thursday, 1st October 2009]

Replying to [comment:9 StefanB]:

Also Trans-European Research and Education Networking Association is offering server certificates (issued by Comodo) to its members.

Unless one is official member of some NREN (National Research and Education Network) which openstreetmap (it looks to me) isn't, you won't be able to able to get those TERENA certificates.

But I think choosing the issuer of certificate is minor issue - hey, I myself will buy a certificate or two for OSM if project needs them and godaddy won't give them for free - just let me know.

There are few more important issues (like, requiring time and effort and not just few bucks):

  1. the openstreetmap will have to change (and document) all login vectors needed (main website HHTP login redirects, API login changes, wiki...)

  2. the editing software will need to support new (HTTPS) APIs made in step 1. Or perhaps they could be better solved by implementing Oauth instead? No sense ih having them change authentication mechanism twice.

  3. the SSL will put some additional CPU load on servers terminating the SSL (normally the machines running web servers themselves; but there are configurations with front-end proxys which terminate SSL themselves, reducing load on web servers). To minimize impact of that additional CPU load (if that is needed; it might not be), only authorization part should be going over SSL, so protocol in step 1 should be made in such a way.

@openstreetmap-trac
Copy link
Author

Author: openstreetmap[at]firefishy.com
[Added to the original trac issue at 4.58pm, Sunday, 14th February 2010]

Certificate has been purchased and is undergoing testing.

@openstreetmap-trac
Copy link
Author

Author: emka
[Added to the original trac issue at 6.06pm, Friday, 22nd April 2011]

https://forum.openstreetmap.org/ is still using a self-signed certificate. Could it be changed to the new certificate?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant