Last modified: 2008-06-29 05:57:41 UTC
At the moment secure.wikimedia.org uses a PKI certificate that is signed by
CAcert.org. Firefox does not have CAcert as a trusted CA; I haven't tested it
with other browsers, but, given what I read on CAcert's own website, I suspect
this is also the case for IE.
Since secure.wikimedia.org is now being recommended to users (see the en:
Wikipedia login form), it makes sense that a new certificate be generated for
secure.wikimedia.org, signed by a CA that is trusted by the majority of web
Although this will cost a small amount of money, it should be well worth it for
the reduced confusion in non-technical users, and will also protect against
possible man-in-the-middle attacks.
That's a browser bug, not a MediaWiki bug.
We don't recommend secure.wikimedia.org to the general public.
Any such recommendation needs to be removed posthaste.
It remains experimental and may change incompatibly.
Re comment #1: No, it's a server configuration bug, rather than a browser bug;
if you want the general public to use HTTPS securely, you need to use a
certificate signed by a CA their browser trusts; that's the whole point of PKI.
Re comment #2: I agree, if the facility is experimental, the message inviting
the public to use it should be removed. The link in the page returned after a
successful login, which says:
"Note: If you find yourself repeatedly logged out immediately after visiting
this screen, first make sure that cookies are enabled on your computer, and then
try checking the 'Remember me' box. If neither of those work, please try this
alternative (but slower) connection."
...where "this alternative" has a link to secure.wikimedia.org.
[[User:Flcelloguy]] added that to enwiki's [[MediaWiki:Loginsuccess]] message
yesterday. I'll ask on the talk page for the "experimental" proviso to be added.
This was fixed by someone a while ago, and the secure site is linked from Special:UserLogin. https://secure.wikimedia.org/ currently has a certificate issued by "Equifax Secure Global eBusiness CA-1" and valid from May 2008 to July 2013.
From some tests here, the issuer is accepted by Firefox v3.0, iceweasel v220.127.116.11, Konqueror v3.5.5, Internet Explorer v6.0.2800.1106 & v7.0.5730.11, Safari v3.1.2.