www.spi-inc.org uses an invalid security certificate

TJ spi-inc at iam.tj
Thu Feb 27 23:46:32 UTC 2014


On 27/02/14 23:32, Jimmy Kaplowitz wrote:
> On Thu, Feb 27, 2014 at 08:48:35PM +0000, TJ wrote:
>> If that is the intent then the URL I accessed should *not* be served over HTTPS at all.
> [...]
>> Not having heard of SPI previously I wanted to verify the organisation's
>> authenticity. Finding what seemed like an amateurish fault on the SPI host
>> certificate too, my willingness to trust the CA was greatly diminished.
> 
> It's a valid point that the user experience might be clearer if both URLs were
> separated to be served from different IPs, or the certificate updated to
> include spi-inc.org & www.spi-inc.org and either HTTPS serving enabled or a
> redirect to HTTP installed. I'll make sure our sysadmins notice this thread.

Most sites and browsers support SNI in which case multiple IPs aren't required, although to
handle those user agents that don't support SNI it is usual to make the server's default site
be the primary HTTPS site for the organisation.

Instead of several additional ALT Subject Names just use the wildcard "*.spi-inc.org" in addition to a CN of "spi-inc.org".


More information about the Spi-general mailing list