Last modified: 2008-06-29 05:57:41 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T9477, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 7477 - Firefox does not recognise secure.wikimedia.org's cert
Firefox does not recognise secure.wikimedia.org's cert
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
PC Linux
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
https://secure.wikimedia.org/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-03 11:38 UTC by Neil Harris
Modified: 2008-06-29 05:57 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Neil Harris 2006-10-03 11:38:38 UTC
At the moment secure.wikimedia.org uses a PKI certificate that is signed by
CAcert.org. Firefox does not have CAcert as a trusted CA; I haven't tested it
with other browsers, but, given what I read on CAcert's own website, I suspect
this is also the case for IE.

Since secure.wikimedia.org is now being recommended to users (see the en:
Wikipedia login form), it makes sense that a new certificate be generated for
secure.wikimedia.org, signed by a CA that is trusted by the majority of web
browsers. 

Although this will cost a small amount of money, it should be well worth it for
the reduced confusion in non-technical users, and will also protect against
possible man-in-the-middle attacks.
Comment 1 Leon Weber 2006-10-03 11:41:42 UTC
That's a browser bug, not a MediaWiki bug.
Comment 2 Brion Vibber 2006-10-03 15:53:02 UTC
We don't recommend secure.wikimedia.org to the general public.
Any such recommendation needs to be removed posthaste.

It remains experimental and may change incompatibly.
Comment 3 Neil Harris 2006-10-03 19:32:38 UTC
Re comment #1: No, it's a server configuration bug, rather than a browser bug;
if you want the general public to use HTTPS securely, you need to use a
certificate signed by a CA their browser trusts; that's the whole point of PKI.

Re comment #2: I agree, if the facility is experimental, the message inviting
the public to use it should be removed. The link in the page returned after a
successful login, which says:

"Note: If you find yourself repeatedly logged out immediately after visiting
this screen, first make sure that cookies are enabled on your computer, and then
try checking the 'Remember me' box. If neither of those work, please try this
alternative (but slower) connection."

...where "this alternative" has a link to secure.wikimedia.org.
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-10-04 01:45:39 UTC
[[User:Flcelloguy]] added that to enwiki's [[MediaWiki:Loginsuccess]] message
yesterday.  I'll ask on the talk page for the "experimental" proviso to be added.
Comment 5 Zigger 2008-06-29 05:57:41 UTC
This was fixed by someone a while ago, and the secure site is linked from Special:UserLogin.  https://secure.wikimedia.org/ currently has a certificate issued by "Equifax Secure Global eBusiness CA-1" and valid from May 2008 to July 2013.

From some tests here, the issuer is accepted by Firefox v3.0, iceweasel v2.0.0.1, Konqueror v3.5.5, Internet Explorer v6.0.2800.1106 & v7.0.5730.11, Safari v3.1.2.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links