Re: uses an invalid security certificate

From: Jimmy Kaplowitz <jimmy(at)spi-inc(dot)org>
To: TJ <spi-inc(at)iam(dot)tj>
Cc: spi-general(at)lists(dot)spi-inc(dot)org
Subject: Re: uses an invalid security certificate
Date: 2014-02-27 23:32:46
Views: Raw Message | Whole Thread | Download mbox
Lists: spi-general

On Thu, Feb 27, 2014 at 08:48:35PM +0000, TJ wrote:
> If that is the intent then the URL I accessed should *not* be served over HTTPS at all.
> Not having heard of SPI previously I wanted to verify the organisation's
> authenticity. Finding what seemed like an amateurish fault on the SPI host
> certificate too, my willingness to trust the CA was greatly diminished.

It's a valid point that the user experience might be clearer if both URLs were
separated to be served from different IPs, or the certificate updated to
include & and either HTTPS serving enabled or a
redirect to HTTP installed. I'll make sure our sysadmins notice this thread.

That said, from a technical perspective, the browser certificate warning occurs
before the server even knows which URL you're trying to access. I realize that
this is not obvious, and this perception issue is why the most high-profile
sites do one of the workarounds described above.

- Jimmy Kaplowitz


Browse spi-general by date

  From Date Subject
Next Message TJ 2014-02-27 23:46:32 Re: uses an invalid security certificate
Previous Message TJ 2014-02-27 20:48:35 Re: uses an invalid security certificate