Outdated SSL Certificate for https://www.gnucash.org

[Xavier Lagraula]

You're welcome.

As an ex-developer, I'm not a fan of php either... :) But I won't bother
you with that. It's a battle I have renounced to fight.

As for end to end encryption, it is not only a matter of your privacy in
this case. You are dealing with the privacy of all your users, so in that
case it would seem reasonable to protect it if enough of them think it
necessary. Also, it is not only a matter of privacy. End to end encryption
is the better tool you have to protect your server and your users against
man in the middle attacks. And finally, Internet Protocols were designed
for end to end communications, for good reasons. Anything that can be done
to phase out all the damaging middle box nonsense that we suffer from today
seems good to me.

Now, I am not sure that this list is a good place to debate about the
usefulness of worldwide end to end communications and encryption. I'd
rather we continue this conversation privately if that's OK with you.

Le ven. 17 juin 2016 00:46, John Ralls <jralls at ceridwen.us> a écrit :

>
> > On Jun 16, 2016, at 2:38 PM, Xavier Lagraula <detunizedgravity at gmail.com>
> wrote:
> >
> >
> >
> > Le jeu. 16 juin 2016 à 16:08, John Ralls <jralls at ceridwen.us> a écrit :
> >
> > > On Jun 16, 2016, at 1:47 AM, Xavier Lagraula <
> detunizedgravity at gmail.com> wrote:
> > >
> > > Hm. No. This is not what I meant. I am well aware of the arguments you
> are
> > > making here. My problem is not that I trust my browser more than my own
> > > judgment. My problem is that I know no practical and reasonable way to
> > > apply my judgement, and I must make do with what my browser will allow.
> > >
> > > To be precise I have tried with both the latest stable versions of FF
> and
> > > Edge, and neither allowed me to set an exception in the usual way.
> Maybe I
> > > could have lowered my security settings, but I question the relevance
> of
> > > such a choice. The fact that *I*, as an I.T. security consultant, may
> be
> > > able to find how to do it and live with the consequences, does not
> > > necessarily make it a reasonable course of action for everyone.
> >
> > Haven't tried this in Edge, but it definitely works in FF:
> > Click in the address bar. The URL will be expanded for editing. Move to
> the left end of the URL and change 'https:' to 'http:'. Press Enter.
> > No exception required, it opens the URL unencrypted and there is
> therefore no certificate check.
> >
> > The https link is embedded in an iframe, so one would first need to do
> something like "right click inside the iframe => this frame/open in a new
> tab => edit the URL".  I believe the iframe makes it too complicated a
> workaround for the average person, which is why I jumped into the
> discussion. I didn't say there was no solution. I said "there is no easy
> and practical solution for the average, non I.T. person."
> >
> > Also, this will rapidly stop working when you sysadmin will have had the
> good idea to implement HTTP Strict Transport Security. In that case, once
> the browser will know that HTTPS is available for the www.gnucash.org, it
> will not allow HTTP anymore unless the user resets this HSTS configuration
> *between each click on a link*.
> >
> > I'll check again in a bit but I don't think that there are any internal
> https: links in www.gnucash.org. As I said earlier there's nothing there
> that needs encrypting. There is a bit of a problem with recently released
> editions of most browsers that default to using https, but it's not hard to
> override as I describe above.
> >
> >
> > www.gnucash.org => click on "download / documentation" in the left
> panel => view source =>
> > <iframe src="
> https://www.gnucash.org/docs/v2.6/C/gnucash-guide/index.html"
> style="border-width: 0px; width: 100%; min-width: 700px; height: 80em;">
> > It seems your browser doesn't support iframes. To view the requested
> page in a separate window, please <a href="
> https://www.gnucash.org/docs/v2.6/C/gnucash-guide/index.html"
> target="_new">click here</a>.</iframe>
> >
> > Obviously, if you don't need HTTPS at all, you could change the protocol
> to HTTP. I believe that, on the contrary, one should aim for systematic end
> to end encryption (that is, the whole site should use HTTPS and actively
> prevent the use of HTTP), but that is another topic entirely. I won't say
> anymore on this here.
> >
> > As for adding an exception in FF, click Advanced on the Warning page.
> That extends the box with details of why the certificate was rejected and
> includes an "Add and Exception" button on the bottom. Click that, a dialog
> box opens with a "Confirm Security Exception". Click that, done.
> >
> > As said before, you wouldn't have heard from me if it was that simple.
> When I wrote that my browser does not let me set an exception, I meant it:
> the "Add an exception" button does not exist in this case. I've known for
> some time that it happened in some cases, I just never took the time to
> learn why until now.
> >
> > OK, so here's the explanation. One may not set an exception when the
> offending link is in an iframe, to prevent attackers from tricking users
> into validating rogue certificates. Seems reasonable. This behaviour was
> implemented in FF in 2012 for example:
> >
> > https://bugzilla.mozilla.org/show_bug.cgi?id=756841#c6
> >
> > So, the actual workaround is to open the iframe into its own tab. Since
> the content is not embedded in an iframe in this case, the "Add an
> exception" button is shown, and one may add a permanent exception. Reload
> the original page and the error should disappear. Still a bit too
> complicated for the average Joe in my opinion, but it does work.
> >
> > As a side note, I've always thought that iframe are a pain, for the
> reasons found here :
> > https://en.wikipedia.org/wiki/Framing_(World_Wide_Web)#Criticism
>
>
> Thanks for the diagnosis. I've replaced that https link with http so it
> should work now. I'm not a fan of iframes either but I don't have time
> right now to redo the web page to use floating divs and php includes.
>
> I'm a bit less doctrinaire about end-to-end encryption for all web
> traffic. Most advocates promote it as a privacy protection, but IMO one can
> worry too much about that. I don't know about you, but I don't really worry
> too much about who might see me at the grocery store or who knows that I
> work on GnuCash.
>
> Regards.
> John Ralls
>
>