Closed sprin closed 9 years ago
Done. A modern ciphersuite and HSTS are in place, but I don't think it is worth the effort to enable Public Key Pinning for this. Firefox and Chrome no longer have errors related to the cert.
Firefox "Security Tab" shows:
Connection:
Protocol version: TLSv1.2
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Host pg-discuss-demo.sprin.io:
HTTP Strict Transport Security: Enabled
Public Key Pinning: Disabled
Certificate:
Issued To
Common Name (CN): pg-discuss-demo.sprin.io
Organization (O): <Not Available>
Organizational Unit (OU): Domain Control Validated
Issued By
Common Name (CN):COMODO RSA Domain Validation Secure Server CA
Organization (0): COMODO CA Limited
Organizational Unit (OU): <Not Available>
Period of Validity
Begins On: 10/11/2015
Expires On: 10/11/2016
Firefox refuses to load the demo when HTTPS is used. The browser refuses to retrieve the JS file for the client. No user-visible warning is issued, but the developer tools reveal an error:
Chrome shows the same behavior, but with more obscure error message:
Without even being presented an option to accept the self-signed certificate, visitors to the demo cannot be expected to work around this.
The initial plan was to obtain a free certificate from Let's Encrypt, a free and open CA that will be trusted by browsers courtesy of a cross-signature from IdenTrust. However they have pushed back the schedule for general availability to the week of Nov 16.
To get this fixed now, we will need to procure a certificate from a commercial CA.