www.spi-inc.org uses an invalid security certificate
Jimmy Kaplowitz
jimmy at spi-inc.org
Thu Feb 27 23:32:46 UTC 2014
On Thu, Feb 27, 2014 at 08:48:35PM +0000, TJ wrote:
> If that is the intent then the URL I accessed should *not* be served over HTTPS at all.
[...]
> Not having heard of SPI previously I wanted to verify the organisation's
> authenticity. Finding what seemed like an amateurish fault on the SPI host
> certificate too, my willingness to trust the CA was greatly diminished.
It's a valid point that the user experience might be clearer if both URLs were
separated to be served from different IPs, or the certificate updated to
include spi-inc.org & www.spi-inc.org and either HTTPS serving enabled or a
redirect to HTTP installed. I'll make sure our sysadmins notice this thread.
That said, from a technical perspective, the browser certificate warning occurs
before the server even knows which URL you're trying to access. I realize that
this is not obvious, and this perception issue is why the most high-profile
sites do one of the workarounds described above.
- Jimmy Kaplowitz
jimmy at spi-inc.org
More information about the Spi-general
mailing list