'Re: Please support/enable https by default in the Apache web sever.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: Please support/enable https by default in the Apache web sever.
From:       Joe Schaefer <joe () sunstarsys ! com>
Date:       2023-09-30 15:59:30
Message-ID: CAFQGv+Z1Kq3ZTJgoq2Gn61z8hUF91dzD1K9hsT-i=0Rv03T-wA () mail ! gmail ! com
[Download RAW message or body]

It is insane to ask this project to cater to the interests of 10 people who
are so PKI illiterate, the PMC needs to put the rest of the user base at
risk just to accommodate them.

Certs require mandatory user serviceable parts.  There is no meaningful way
to  provide a default.

Thanks.

On Sat, Sep 30, 2023 at 10:45 AM General Email <
general.email.12341234@gmail.com> wrote:

>
>
> On Sat, 30 Sep, 2023, 8:00 pm Emmanuel Dreyfus, <manu@netbsd.org> wrote:
>
>> On Sat, Sep 30, 2023 at 07:40:34PM +0530, General Email wrote:
>> > By the way, I don't understand how the default certificate can be
>> abused.
>>
>> It is not signed by a trusted CA, hence your browser cannot tell if it
>> is speaking to your legitimate web server, or to some malware lurking
>> in between. Perhaps your web trafic is not worth being evesdropped, but
>> consider a malware could inject an exploit against your browser in your
>> web trafic. The attacker could just be an infected machine on the same
>> LAN.
>>
>> The security level of an untrusted ceritificate is not much better than
>> plain text HTTP.
>>
>
>
> Yes, I understand this.
>
> We will not be using the default untrusted certificate when we go live.
>
> But during development, if 10 people are working on the development of one
> website and each of them has their own apache http installation, then we
> have to generate 10 certificates and do a few changes or more than few
> changes to get https enabled on each of 10 installations.
>
> Having a default certificate (not signed by trusted CA) in official http
> server will make enabling https on each installation much easier and we
> won't have to generate 10 certificates, etc.
>
> Regards,
> GE
>
>

[Attachment #3 (text/html)]

<div dir="ltr">It is insane to ask this project to cater to the interests of 10 \
people who are so PKI illiterate, the PMC needs to put the rest of the user base at \
risk just to accommodate  them.<div><br></div><div>Certs require mandatory user \
serviceable  parts.   There is no meaningful way to   provide a \
default.</div><div><br></div><div>Thanks.</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Sep 30, 2023 at \
10:45 AM General Email &lt;<a \
href="mailto:general.email.12341234@gmail.com">general.email.12341234@gmail.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Sat, 30 Sep, 2023, 8:00 pm Emmanuel Dreyfus, &lt;<a href="mailto:manu@netbsd.org" \
target="_blank">manu@netbsd.org</a>&gt; wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">On Sat, Sep 30, 2023 at 07:40:34PM +0530, General \
Email wrote:<br> &gt; By the way, I don&#39;t understand how the default certificate \
can be abused.<br> <br>
It is not signed by a trusted CA, hence your browser cannot tell if it<br>
is speaking to your legitimate web server, or to some malware lurking<br>
in between. Perhaps your web trafic is not worth being evesdropped, but<br>
consider a malware could inject an exploit against your browser in your<br>
web trafic. The attacker could just be an infected machine on the same<br>
LAN.<br>
<br>
The security level of an untrusted ceritificate is not much better than<br>
plain text HTTP.<br></blockquote></div></div><div dir="auto"><br></div><div \
dir="auto"><br></div><div dir="auto">Yes, I understand this.</div><div \
dir="auto"><br></div><div dir="auto">We will not be using the default untrusted \
certificate when we go live.</div><div dir="auto"><br></div><div dir="auto">But \
during development, if 10 people are working on the development of one website and \
each of them has their own apache http installation, then we have to generate 10 \
certificates and do a few changes or more than few changes to get https enabled on \
each of 10 installations.</div><div dir="auto"><br></div><div dir="auto">Having a \
default certificate (not signed by trusted CA) in official http server will make \
enabling https on each installation much easier and we won&#39;t have to generate 10 \
certificates, etc.</div><div dir="auto"><br></div><div dir="auto">Regards,</div><div \
dir="auto">GE</div><div dir="auto"><br></div><div dir="auto"><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> \
</blockquote></div></div></div> </blockquote></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic