dt.iki.fi

About HTTPS on this site

Table of contents

This site is also viewable encrypted through https.

There's a snag though:
Browsers do not (by default) "trust" the certificate authority I'm using.

Why not?

Because this "trust" must be bought, and the certificate authority I have chosen does not pay this money (and neither do I).
It's called CAcert, and this is what they say about themselves:

CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free.

So go their website and have a good read, maybe especially their License.
If you decide to trust them...

Browser Trust

Go to the root certificate page and click on Root Certificate and allow it to identify websites. hen click on Intermediate Certificate and don't check any of the boxes (do not allow to identify anything) but click OK nevertheless.
I have chosen the PEM format for this, but the other formats probably also work.

If for some reason this should not work:

Download the files. For some reason the usual "right-click => save as" did not work for me, had to use the command line:
wget https://www.cacert.org/certs/root_X0F.crt https://www.cacert.org/certs/class3_X0E.crt

Then, for Firefox, go to:

Preferences => Privacy & Security, scroll all the way down => View Certificates => Authorities => Import both files

However you do it, in the end it should look like this.

Something similar should be possible on all major browsers. See here for more information.

Clicking the root certitifcate link should also work on your Android-based smartphone's browser.
If you want it system-wide you need to download the ceritificate first, then tap the downloaded file, that should pop up a system settings dialog.
If it doesn't work, have a look here or try this app (not tested).

That's all, you can now navigate to https://dt.iki.fi and browse this site not only encrypted but also "trusted".

OS Trust

The CACert wiki has an article about this.
I only looked at the Linux section though, and I wasn't able to adapt it to my ArchLinux system.

Before you start, make a test: curl https://dt.iki.fi should give an error and not download the page.

With the previously downloaded root certificate (and only that one) try:
sudo trust anchor root_X0F.crt
Repeat the curl command; it should work now (download a load of HTML).

This is still effective after a reboot, but I'm not sure if some software update couldn't revert this eventually. We will see.


PS:

So why don't you just use letsencrypt like everybody else?

I guess I'm a little sceptical of them and it all reminds me of that time ~10 years ago when Gmail seemed like the best thing that happened to the internet, ever. For free!
And eventually everybody found themselves being sucked dry and violated by a data mining behemoth.

But there's more palpable reasons for my rejection of letsencrypt.

Using it requires me to agree to some things which, without going into detail (IANAL), amounts to making a contract with a company in the USA, under US law, and willingly providing them with personal data to be stored on servers in the USA that aren't protected by any privacy laws to speak of.

Now why would I do that when I live in a country with much better privacy laws and went out of my way to not willingly store any data on any servers in the US of A?

Secondly, when I tried it once it asked me to run a python script that did all sorts of things to my system (obviously it needs root privileges).
I like to have just a little more control over things.
And why is the certificate valid only 90 days? Seems a little shifty to provide free certificates, throw them at the public, then force people to renew them in such short intervals, more or less forcing them into using the provided software (because constantly keeping an eye on it and doing it manually every other month or so certainly isn't fun).

Lastly, I think web encryption is slightly overrated. A lot of content on the WWW is meant to be public and there really isn't much reason to encrypt it. If only more sites would respect their visitors' privacy and not suck so much data out of them by means of javascript.

All my site does is set a cookie in your browser (PHP does that automatically and I see no reason to switch that off) and, of course, store the connection in the server logs (i.e. time, originating IP and the browser's user agent string). That's the only information about you that travels through the web, apart from the fact that you are visiting the site at all. Now if you feel you need to hide that then good luck using the regular web.
If on the other hand you wanted to contact me and send some sensitive information (like an email address so I can get back to you) I would indeed recommend to use a secure connection.

PPS: Recently I stumbled upon some more alarming information about the certbot installer.