Page MenuHomePhabricator

Change the SSL certificate of beta.wmflabs.org to remove SSL warnings/errors
Closed, DuplicatePublic

Description

There are two SSL/security issues when I try to visit the SSL version of any Wikimedia beta cluster:

  1. The certificate is a self-signed certificate, therefore the certificate is not valid.
  2. The intended URL that should be issued by the certificate doesn't match with the current URL.

Issue #1 can be solved by installing the certificate to the Trusted Certificate Authorities folder, but this doesn't really solve the whole problem. There are some users that don't know or not familiar with installing certificates, so this should be solved.

Issue #2 occurs because if we will see the "Issued to" field, it is *.*.beta.wmflabs.org. Due to that, it doesn't include the other sub-domains it have (such as commons.wikimedia.beta.wmflabs.org). Unfortunately, we cannot solve it unlike Issue #1, so this should be solved by a system administrator. Also, Issue #2 will not appear on mobile browsers (such as Safari iOS).

If these issues are fixed, I think it is safe if we redirect the whole beta.wmflabs.org domain from HTTP to HTTPS. I will provide a screenshot by tomorrow. Thanks.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2016, 1:15 PM

You can use https://letsencrypt.org/ which is free and trusted and funded by big company's such as facebook.

Duplicate of T50501?

I think this is not a duplicate, as the task you stated is about adding SSL to the Wikimedia beta clusters. It has been already done, but this time, there are two SSL issues when accessing any Wikimedia beta cluster via HTTPS (which is in the description).

You can use https://letsencrypt.org/ which is free and trusted and funded by big company's such as facebook.

Hmm... I don't recommend Let's Encrypt at the moment, because their intermediate certificate is not trusted by Windows XP using Chrome and IE8. I am one of the users using Windows XP and Chrome, well this would be unfair to those who don't want to upgrade their Windows XP computer yet (or buy a new computer).

Reedy added a subscriber: Reedy.Mar 12 2016, 11:53 PM
In T129740#2115141, @Pokefan95 wrote:

Hmm... I don't recommend Let's Encrypt at the moment, because their intermediate certificate is not trusted by Windows XP using Chrome and IE8. I am one of the users using Windows XP and Chrome, well this would be unfair to those who don't want to upgrade their Windows XP computer yet (or buy a new computer).

Considering XP is all but 2 years past end of supported life... Never mind being nearly 15 years old. If you want to run an operating system that's no longer receiving security updates etc, that's your problem.

Paladox added a comment.EditedMar 13 2016, 12:04 AM

Windows XP is no longer supported. It has a ton of security problems. Plus Windows XP shares In the market is going down. Plus Google is discontinuing support for Windows XP. Plus it's only for the beta server so not many people would be impacted,

I recommend upgrading. Since https does not benefit Windows XP customers due to it using lower bit security.

It also save costs for testing software before deploying to production.

Poyekhali triaged this task as Medium priority.Apr 13 2016, 4:39 AM