The switch to metalstorm.net has been some time ago now and the site's certificate is still issued for metalstorm.ee. I know not many people here seem to use https when browsing the site (which is bad) but at least a few of us do. And since a query for the Estonian tld will be translated to .net anyway, the certificate should be re-issued for .net. Also it's still issued by a self-signed Metalstorm CA. I know having your certs signed costs quite a bit of money but metalstorm has become fairly big and still everyone using TLS gets a browser warning everytime they visit the site. Maybe you can come up with that money to get a decent certificate.

Also, since we're on the topic here anyway, I'd love an option to have the site always use TLS when I'm logging in. I thought about how to enforce stuff like this and the only way I could come up with would be having a javascript function check the email address entered before performing the actual login and retrieve the TLS setting through AJAX. Maybe you guys have a better idea, but the feature would be nice.

Am I seriously the only one interested in this?

I think in this day and age people prefer convenience over security. Certificates cost in the $1000s don't they? I can't remember exactly.

Written by Raiden on 11.01.2011 at 12:43

I think in this day and age people prefer convenience over security. Certificates cost in the $1000s don't they? I can't remember exactly.

That depends. Thawte for instance will sing a two year certificate for ~300?. But that's not the point. Having it signed is a optional request of mine. Fact is that the certificate presented by the webserver for metalstorm.net is not issued for that domain but for metalstorm.ee. Also 1024 bit RSA isn't considered secure by today's standard anymore but that's another matter.
This can easily be corrected by re-generating the certificate. X509 even provides and extension allowing the creation of one certificate valid for multiple domains. The TLS setting I ask for is in fact a means of convenience.

Oh yes, I see that it doesn't expire for a little while yet at least.

If I get time, I might reissue the thing to cover .net as well. It will not be signed officially in the near future, though. Deal with it.

I.

I get that warning everytime i log onto www.hotmail.com so, when microsoft choose not to pay for a some certificate, i doubt that metalstorm would.. considering the very little revenue from ads.

Written by Zombie on 11.01.2011 at 19:55

I get that warning everytime i log onto www.hotmail.com so, when microsoft choose not to pay for a some certificate, i doubt that metalstorm would.. considering the very little revenue from ads.

All of Microsofts certificates are signed by VeriSign. And I can't reproduce what you're saying. When visiting hotmail.com, one is redirected to login.live.com which presents a correctly validatable certificate signed by VeriSign Inc.

I dont know man, maybe the didnt get certifictaes for the domain serving africa or the middle east (if such thing is possible) .. i'm no computer expert but that's what happens when i sign in everytime

Any news on this?

Written by corrupt on 03.02.2011 at 10:19

Any news on this?

No, busy times.

I.