| From: | Jimmy Kaplowitz <jimmy(at)spi-inc(dot)org> |
|---|---|
| To: | TJ <spi-inc(at)iam(dot)tj> |
| Cc: | spi-general(at)lists(dot)spi-inc(dot)org |
| Subject: | Re: www.spi-inc.org uses an invalid security certificate |
| Date: | 2014-02-27 23:32:46 |
| Message-ID: | 20140227233246.GM32074@kaplowitz.org |
| Views: | Raw Message | Whole Thread | Download mbox |
| Thread: | |
| Lists: | spi-general |
On Thu, Feb 27, 2014 at 08:48:35PM +0000, TJ wrote:
> If that is the intent then the URL I accessed should *not* be served over HTTPS at all.
[...]
> Not having heard of SPI previously I wanted to verify the organisation's
> authenticity. Finding what seemed like an amateurish fault on the SPI host
> certificate too, my willingness to trust the CA was greatly diminished.
It's a valid point that the user experience might be clearer if both URLs were
separated to be served from different IPs, or the certificate updated to
include spi-inc.org & www.spi-inc.org and either HTTPS serving enabled or a
redirect to HTTP installed. I'll make sure our sysadmins notice this thread.
That said, from a technical perspective, the browser certificate warning occurs
before the server even knows which URL you're trying to access. I realize that
this is not obvious, and this perception issue is why the most high-profile
sites do one of the workarounds described above.
- Jimmy Kaplowitz
jimmy(at)spi-inc(dot)org
| From | Date | Subject | |
|---|---|---|---|
| Next Message | TJ | 2014-02-27 23:46:32 | Re: www.spi-inc.org uses an invalid security certificate |
| Previous Message | TJ | 2014-02-27 20:48:35 | Re: www.spi-inc.org uses an invalid security certificate |