Change the SSL certificate of beta.wmflabs.org to remove SSL warnings/errors
Closed, DuplicatePublic
Actions

Assigned To

None

Authored By

	Poyekhali
	Mar 12 2016, 1:15 PM

Description

There are two SSL/security issues when I try to visit the SSL version of any Wikimedia beta cluster:

The certificate is a self-signed certificate, therefore the certificate is not valid.
The intended URL that should be issued by the certificate doesn't match with the current URL.

Issue #1 can be solved by installing the certificate to the Trusted Certificate Authorities folder, but this doesn't really solve the whole problem. There are some users that don't know or not familiar with installing certificates, so this should be solved.

Issue #2 occurs because if we will see the "Issued to" field, it is *.*.beta.wmflabs.org. Due to that, it doesn't include the other sub-domains it have (such as commons.wikimedia.beta.wmflabs.org). Unfortunately, we cannot solve it unlike Issue #1, so this should be solved by a system administrator. Also, Issue #2 will not appear on mobile browsers (such as Safari iOS).

If these issues are fixed, I think it is safe if we redirect the whole beta.wmflabs.org domain from HTTP to HTTPS. I will provide a screenshot by tomorrow. Thanks.

Related Objects

Mentioned Here: T50501: beta: Get SSL certificates for *.{projects}.beta.wmflabs.org

Event Timeline

Poyekhali created this task.Mar 12 2016, 1:15 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 12 2016, 1:15 PM

Duplicate of T50501?

You can use https://letsencrypt.org/ which is free and trusted and funded by big company's such as facebook.

In T129740#2114729, @Southparkfan wrote:

Duplicate of T50501?

I think this is not a duplicate, as the task you stated is about adding SSL to the Wikimedia beta clusters. It has been already done, but this time, there are two SSL issues when accessing any Wikimedia beta cluster via HTTPS (which is in the description).

Krenair closed this task as a duplicate of T50501: beta: Get SSL certificates for *.{projects}.beta.wmflabs.org.Mar 12 2016, 11:46 PM

In T129740#2114738, @Paladox wrote:

You can use https://letsencrypt.org/ which is free and trusted and funded by big company's such as facebook.

Hmm... I don't recommend Let's Encrypt at the moment, because their intermediate certificate is not trusted by Windows XP using Chrome and IE8. I am one of the users using Windows XP and Chrome, well this would be unfair to those who don't want to upgrade their Windows XP computer yet (or buy a new computer).

In T129740#2115141, @Pokefan95 wrote:

Hmm... I don't recommend Let's Encrypt at the moment, because their intermediate certificate is not trusted by Windows XP using Chrome and IE8. I am one of the users using Windows XP and Chrome, well this would be unfair to those who don't want to upgrade their Windows XP computer yet (or buy a new computer).

Considering XP is all but 2 years past end of supported life... Never mind being nearly 15 years old. If you want to run an operating system that's no longer receiving security updates etc, that's your problem.

Windows XP is no longer supported. It has a ton of security problems. Plus Windows XP shares In the market is going down. Plus Google is discontinuing support for Windows XP. Plus it's only for the beta server so not many people would be impacted,

I recommend upgrading. Since https does not benefit Windows XP customers due to it using lower bit security.

It also save costs for testing software before deploying to production.

• MZMcBride subscribed.Mar 13 2016, 3:41 AM

Poyekhali triaged this task as Medium priority.Apr 13 2016, 4:39 AM

Change the SSL certificate of beta.wmflabs.org to remove SSL warnings/errorsClosed, DuplicatePublicActions

Description

Related Objects

Event Timeline

Change the SSL certificate of beta.wmflabs.org to remove SSL warnings/errors
Closed, DuplicatePublic
Actions