Why does (my?) Coder start up with an invalid certificate warning?

googlecreativelab / coder

A simple way to make web stuff on Raspberry Pi

http://goo.gl/coder

Apache License 2.0

2.42k stars 275 forks source link

Why does (my?) Coder start up with an invalid certificate warning? #64

Closed johnhorner closed 10 years ago

johnhorner commented 10 years ago

When I started Coder for the first time I got a warning screen about security problems and an invalid certificate. This seems like a really bad first impression for a project aimed at people who are new to code.

In Chrome you can just ignore it with one click but in Firefox it's two or more quite scary warning screens.

Is there a reason why Coder uses HTTPS, and uses it in such a way that people see those warnings?

jmstriegel commented 10 years ago

Coder runs on your local network, and doesn't have a public DNS entry that you could purchase a certificate for. Instead, it uses a self-signed certificate that is created on the device the first time it boots. Unfortunately, a self-signed certificate will cause a browser to produce this warning the first time you connect. :(

So it comes down to a choice:

option 1: run over http and have your device credentials sent in the clear on your local network
option 2: run over https with a self-signed certificate and get a browser warning

There are problems with both. I felt a bit better about the second option.

johnhorner commented 10 years ago

I can see the problem, but if it has to be that way to protect the Coder password there should at least be some mention of it in the documentation/Getting Started Info.

As a user experience it's quite negative: you see a lot of "Setting up is easy, just follow these simple steps" messages, and then in the middle of setting up for the first time there's this offputting and undocumented step.

I would suggest something like:

You will see a warning about Coder's certificate. You should just click "proceed anyway". [Chrome is simply telling you that it can't check Coder's credentials, but in this case it's OK because you're connecting to Coder locally, not over the Internet.]

in the setup instructions.

jmstriegel commented 10 years ago

@johnhorner thanks for the feedback! I've incorporated this language into the getting started section.

I agree that the warning message is a major bummer. Ironically, there would be no scary message if it was unencrypted, and I'd worry about someone running things on an open wifi network. :(

johnhorner commented 10 years ago

That looks great. Thank you.