[ntp:questions] lists.ntp.org uses an invalid security certificate....

Unruh unruh-spam at physics.ubc.ca
Sun Sep 6 18:06:17 UTC 2009


"David J Taylor" <david-taylor at blueyonder.not-this-part.nor-this.co.uk.invalid> writes:


>"Dave Hart" <davehart at gmail.com> wrote in message 
>news:594a23a4-75f3-4081-9346-9c0955a69ef9 at x5g2000prf.googlegroups.com...
>> On Sep 6, 6:49 am, "David J Taylor"  wrote:
>>> "Dave Hart" <> wrote in message
>>>
>>> >http://lists.ntp.org/pipermail/questions/2009-September/024201.html
>>>
>>> > Cheers,
>>> > Dave Hart
>>>
>>> Thanks for the pointer, Dave.
>>>
>>> When visiting that site in Firefox, but not in Internet Explorer, I get
>>> the warning:
>>>
>>>   lists.ntp.org:443 uses an invalid security certificate.
>>>
>>> "The certificate is not trusted because the issuer certificate is
>>> unknown."
>>>
>>> Perhaps my Firefox needs something?
>>
>> Neither of the URLs given above are using https, they are both 
>> http://...,
>> so one answer would be to tell you you're confused ;)  However
>> lists.ntp.org mailing list archives are also available over https, and
>> Firefox is telling you it doesn't trust the certificate, which is
>> true.  All ntp.org https sites use certificates from cacert.org, which
>> is not trusted by any browser with enough market share to mention out
>> of the box.  You must have previously installed the cacert.org root
>> certificate, or the https://lists.ntp.org certificate into IE to avoid
>> the warning.
>>
>> This is a bit of a sore point with me, and I've gone so far as to find
>> affordable trusted certificates and offer to pay for them, but the
>> idea was vetoed.  Apparently, supporting cacert.org's windmill-tilting
>> is more important than not scaring away innocent users who try to
>> visit http://bugs.ntp.org and find every link redirects them to
>> https://support.ntp.org/... which throws up a certificate warning to
>> those of us who have not installed cacert.org's root certificate.
>>
>> Cheers,
>> Dave Hart

>Thanks, Dave.  Yes, I noted that the port 443 was /not/ the one associated 
>with the http:// URL, but I did cut and paste the URL from your message, 
>and there was no "https" in it.  I simply reported what i saw.  I just 
>tried it again and did /not/ get the warning, however on closing and 
>re-opening Firefox, the warning has appeared with the same, non-https, 
>URL.  I suspect that it comes from Firefox looking ahead to the other 
>links on that page, some of which are https.

>Yes, in the past this issue has arisen, and I may have clicked "OK" if 
>Internet Explorer gave such an option for that URL.

>It makes it difficult to take an discussion about "security" issues 
>seriously when ntp.org can't even get a "accepted" certificate.


There is nothing insecure about what they do. They are simply using a
security certificate from an agent not recognized by your browser. That
is not insecure. It may be stupid as Hart implies, but not insecure. 





More information about the questions mailing list