About HTTPS on this site

Table of Contents

This site is also viewable encrypted through https.

I finally decided to shell out some real money for this, so for the next two years there's no snag. See here.

There's a snag though:
Browsers do not (by default) "trust" the certificate authority I'm using.

Why not?

Because this "trust" must be bought, and the certificate authority I have chosen does not pay this money (and neither do I).
It's called CAcert, and this is what they say about themselves:

CAcert.org is a community-driven Certificate Authority that issues certificates to the public at large for free.

So go their website and have a good read, maybe especially their License.
If you decide to trust them...

Browser Trust

Go to the root certificate page and click on Root Certificate and allow it to identify websites. Then click on Intermediate Certificate and don't check any of the boxes (do not allow to identify anything) but click OK nevertheless.
I have chosen the PEM format for this, but the other formats probably also work.

If for some reason this should not work:

Download the files. For some reason the usual "right-click => save as" did not work for me, had to use the command line:
wget https://www.cacert.org/certs/root_X0F.crt https://www.cacert.org/certs/class3_X0E.crt

Then, for Firefox, go to:

Preferences => Privacy & Security, scroll all the way down => View Certificates => Authorities => Import both files

However you do it, in the end it should look like this.

Something similar should be possible on all major browsers. See here for more information.

Clicking the root certitifcate link should also work on your Android-based smartphone's browser.
If you want it system-wide you need to download the ceritificate first, then tap the downloaded file, that should pop up a system settings dialog.
If it doesn't work, have a look here or try this app (not tested).

That's all, you can now navigate to https://dt.iki.fi and browse this site not only encrypted but also "trusted".

OS Trust

The CACert wiki has an article about this.
I only looked at the Linux section though, and I wasn't able to adapt it to my ArchLinux system.

Before you start, make a test: curl https://dt.iki.fi should give an error and not download the page.

With the previously downloaded root certificate (and only that one) try:
sudo trust anchor root_X0F.crt
Repeat the curl command; it should work now (download a load of HTML).

This is still effective after a reboot, but I'm not sure if some software update couldn't revert this eventually. We will see.


So why don't you just use letsencrypt like everybody else?

I guess I'm a little sceptical of them and it all reminds me of that time ~10 years ago when Gmail seemed like the best thing that happened to the internet, ever. For free!
And eventually everybody found themselves being sucked dry and violated by a data mining behemoth.

But there's more palpable reasons for my rejection of letsencrypt.

Using it requires me to agree to some things which, in my layman understanding, amounts to making a contract with a company in the USA, under US law, and willingly provide them with personal data to be stored on servers in the USA that aren't protected by any privacy laws to speak of.

Now why would I do that when I live in a country with much better privacy laws and went out of my way to not willingly store any data on any servers in the USA?

Secondly, when I tried it once it asked me to run a python script that did all sorts of things to my system (obviously it needs root privileges).
Uninstalling was not an option and I had to find everything it did.
I like to have just a little more control over things.
And why is the certificate valid only 90 days? It seems a little shifty to provide free certificates, throw them at the public, then make people renew them in such short intervals, more or less forcing them into using the provided software (because constantly keeping an eye on it and doing it manually every other month or so certainly isn't fun).

Lastly, I think web encryption is slightly overrated. A lot of content on the WWW is meant to be public and there really isn't much reason to encrypt it. If only more sites would respect their visitors' privacy and not suck so much data out of them by means of javascript (because transmitting that over an unencrypted connection is definitely insecure).
Currently, one also cannot hide the fact that one is visiting a certain site, encrypted or not. And other limitations.
I'm not saying encryption is pointless (obviously, since I went to some effort to use it), but I think people shouldn't blindly follow every shout for "more" online security, and consider:

  • Who's shouting - maybe those same entities that are creating all those insecure web sites/applications?
  • Is the implementation really secure?

I can already hear counter arguments by the busload... I think I'll leave it at that for now, maybe edit this article later...

PPS: Recently I stumbled upon some more alarming information about the certbot installer.