Google Chrome fails at pause.perl.org
Went to ship a new module today but Google Chrome wouldn't let me visit PAUSE
Firefox indicates that the cert is from an untrusted issuer, but allows me through after adding an exception. 'Error code: sec_error_untrusted_issuer'. This is disappointing that the Chrome developers could not match Firefox in this regard. I'm hoping that it is just a missing use case rather than a planned feature.
But alas, the PAUSE ssl certificate is still self signed signed by CACert. PAUSE admins, if you are reading this, I will buy you a signed ssl cert for pause.cpan.org. Comment on this blog post to get a hold of me, or email me on my PHRED cpan page email address. I know you guys have lot of stuff going on, but hit me up and I'll cover this part of it.
I blog about Perl.
The certificate on PAUSE is actually signed by CACert. You can download the root certificate from http://www.cacert.org/index.php?id=3 and import it into Chrome (I don't know how to import into Chrome off-hand). I know CACert is working to get included in browsers, but so far still no browsers do not come with CACert that I know of.
Thanks for the spot on the signing authority, I claimed that it was self signed when I was too lazy to look up the specific signing authority.
Anyway, the offer still stands, but I'll be specific in saying that it will be a Geotrust signed cert with no intermediate cert files needed. Sorry if I can't remember the technical term offhand but if you have had to configure Apache to install intermediate cert authority files then you know what I mean.
It's not an issue of money. Andreas wants to stick with CACert. There are instructions for installing their root certificate.
As a workaround, you can also upload with the 'cpan-upload' program that comes with CPAN::Uploader. I find that to be easier and faster than using the web form.
I don't quite understand the desire to stick with a CA that isn't recognised by all common browsers yet.
Yes, importing their root cert to make it trusted isn't particularly difficult, but it shouldn't be necessary at all really.
At least it's only on PAUSE, which is used by people uploading their modules, and not a a newbie-facing site where people would likely be put off by it.
That's completely understandable. What blew my mind is that Chrome didn't give me the option to proceed anyway (without installing the root certificate). That falls under my definition of broken.
It’s not broken depending on what you think the goal is. If you presume certificates are at all meaningful and the goal is to protect users, then not giving them the option is the responsible thing to do – because only the most technical of users have any means to make an informed decision and the least technical of users (who need to be protected the most) will not even stop to think what the error means: they will merely try to find whichever way lets them proceed.
If you throw up a warning dialog, you are mostly training users to press whichever button will proceed. Many of them never read what the dialog said. The same is true of putting obstacles in their way like SSL cert failure pages that allow users to proceed in some way: it has no effect on most of them at all.
The only way to stop them is to give them no option to proceed whatsoever.
(This gets a lot more complicated if you do not buy into the SSL cert narrative, which I don’t. But I can see the issue from that side, and in that light Chrome actually made a better choice than Firefox. Don’t get me started on cryptography on the web, though.)
My goal was to get to pause.cpan.org. Having to modify the browser to visit a specific website is a non-starter for me, I'll just pull up another browser. My time is worth more than that.