www.spi-inc.org uses an invalid security certificate

TJ spi-inc at iam.tj
Thu Feb 27 20:48:35 UTC 2014

On 27/02/14 17:37, Jimmy Kaplowitz wrote:> On Thu, Feb 27, 2014 at 07:43:32AM +0000, TJ wrote:
>> Visiting spi-inc.org [2] I hit another issue with an invalid certificate being presented causing Firefox to warn "The certificate is not valid for any server names" (as well as certificate not
>> trusted). The certificate's Common Name is "members.spi-inc.org" and there are no Subject Alt Name  hosts.
>> How can we have trust in the CA when the CA itself cannot correctly manage its own certificates?
> While your empirical data is correct, your conclusion is not. There's no place
> in which we link to the main SPI website using that URL; it's intended to be
> viewed over unencrypted HTTP. The only SPI website which is meant for HTTPS
> access is members.spi-inc.org, which is correctly reflected in the SSL
> certificate.

If that is the intent then the URL I accessed should *not* be served over HTTPS at all.

My initial issue - the untrusted Debian certificate - stemmed from being referred to the Debian URL in order to check the Debian Linux kernel repository. I was not using a Debian host to do that, so
when the browser warned of certificate issues I followed the chain back to the CA.

Not having heard of SPI previously I wanted to verify the organisation's authenticity. Finding what seemed like an amateurish fault on the SPI host certificate too, my willingness to trust the CA was
greatly diminished.

More information about the Spi-general mailing list