• Walter Bright (3/13) Dec 02 2015 https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on
• Brad Anderson (10/12) Dec 03 2015 Nice work by Jan. I know how big of a hassle things like this can
• Brad Roberts via Digitalmars-d-announce (5/15) Dec 03 2015 I'm glad that letsencrypt is out there doing the publicity, but getting ...
• David Nadlinger (8/13) Dec 03 2015 The free StartSSL thing was also nigh-unusable – when I gave it a
• Brad Roberts via Digitalmars-d-announce (3/16) Dec 03 2015 Interesting.. I've never had any problems, though I've never needed to
• Jacob Carlborg (4/6) Dec 03 2015 You can expect a bill for "Wasting Time" in the mail anytime soon now :)
• David Nadlinger (5/7) Dec 03 2015 Thanks!
• Saurabh Das (5/29) Dec 04 2015 This is great.
• deadalnix (1/1) Dec 05 2015 Forum widgets are broken on the home page.
• mattcoder (8/9) Dec 05 2015 This is what I get when I try: https://www.dlang.org/
• Adil Baig via Digitalmars-d-announce (10/19) Dec 06 2015 +1 Same error. This part may help :
• Steven Schveighoffer (3/12) Dec 06 2015 Or redirect www.dlang.org to dlang.org
• Marc =?UTF-8?B?U2Now7x0eg==?= (4/21) Dec 06 2015 That won't help if someone already starts at
• Steven Schveighoffer (4/20) Dec 07 2015 I'm surprised it wouldn't. I wouldn't think a redirect would need to be
• Kapps (5/32) Dec 07 2015 It does. Otherwise you could bypass HTTPS entirely by replacing
• Chris Wright (8/17) Dec 07 2015 Well, only if you're trying to protect against MITM attacks. If you're
• Kapps (4/14) Dec 06 2015 StartSSL allows for one subdomain on their free plan (which is
• lobo (12/21) Dec 06 2015 This is what I get on firefox;
• =?UTF-8?Q?S=c3=b6nke_Ludwig?= (6/6) Dec 08 2015 Now also certified (Let's Encrypt made this really straight forward):
• Basile B. (3/4) Dec 11 2015 https://www.youtube.com/watch?v=OqkYr5uIreg&feature=youtu.be&t=49s
• Basile B. (2/6) Dec 11 2015 we're safe...
• Basile B. (2/9) Dec 11 2015 I hope you get the irony...

Walter Bright <newshound2 digitalmars.com> writes:

On 11/24/2015 10:59 AM, David Nadlinger wrote:
 On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright wrote:
 I'm pleased to announce that Jan Knepper has gotten us some proper
 certificates now, and dlang.org and digitalmars.com are now fully https!

 There are a number of issues with how SSL is set up on the server, from
 misconfiguration and/or outdated software:
 https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on

 Compare this e.g. to issues.dlang.org, which achieves a solid A grade (although
 it uses a SHA-1 intermediary certificate, which will lead to issues soon):
 https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org&hideResults=on

   — David

https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on

Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

Brad Anderson <eco gnuk.net> writes:

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:
 https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on

 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

Nice work by Jan. I know how big of a hassle things like this can 
be so taking the time to actually do it is much appreciated.

On a related note, Let's Encrypt hit public beta today[1]. With 
that I think we should be able to get all of the official 
infrastructure on TLS now. It's unfortunate it didn't come a bit 
sooner because now the NSA knows I read the entire DUB JSON 
thread, much to my shame.

1. https://letsencrypt.org/2015/12/03/entering-public-beta.html

Brad Roberts via Digitalmars-d-announce writes:

On 12/3/15 5:38 PM, Brad Anderson via Digitalmars-d-announce wrote:
 On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote:
 https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on

 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

 Nice work by Jan. I know how big of a hassle things like this can be so taking
the time to actually
 do it is much appreciated.

 On a related note, Let's Encrypt hit public beta today[1]. With that I think
we should be able to
 get all of the official infrastructure on TLS now. It's unfortunate it didn't
come a bit sooner
 because now the NSA knows I read the entire DUB JSON thread, much to my shame.

 1. https://letsencrypt.org/2015/12/03/entering-public-beta.html

I'm glad that letsencrypt is out there doing the publicity, but getting and
using ssl certs has been 
free via startssl for several years now.  What this new group is doing is the
PR and marketing to 
get people to do it, of course under their own umbrella rather than another
company's.

- Brad

David Nadlinger <code klickverbot.at> writes:

On Friday, 4 December 2015 at 02:29:52 UTC, Brad Roberts wrote:
 I'm glad that letsencrypt is out there doing the publicity, but 
 getting and using ssl certs has been free via startssl for 
 several years now.  What this new group is doing is the PR and 
 marketing to get people to do it, of course under their own 
 umbrella rather than another company's.

The free StartSSL thing was also nigh-unusable – when I gave it a 
try, their in-browser CSR gen thing broke on whatever recent 
version of Firefox I was using, which left me with no cert, but 
them claiming I had exhausted their offer. They also have this 
weird thing where they offer "one host name plus domain" only, 
and charge users for revoking their cert (!).

  — David

Brad Roberts via Digitalmars-d-announce writes:

On 12/3/2015 6:55 PM, David Nadlinger via Digitalmars-d-announce wrote:
 On Friday, 4 December 2015 at 02:29:52 UTC, Brad Roberts wrote:
 I'm glad that letsencrypt is out there doing the publicity, but
 getting and using ssl certs has been free via startssl for several
 years now.  What this new group is doing is the PR and marketing to
 get people to do it, of course under their own umbrella rather than
 another company's.

 The free StartSSL thing was also nigh-unusable – when I gave it a try,
 their in-browser CSR gen thing broke on whatever recent version of
 Firefox I was using, which left me with no cert, but them claiming I had
 exhausted their offer. They also have this weird thing where they offer
 "one host name plus domain" only, and charge users for revoking their
 cert (!).

   — David

Interesting.. I've never had any problems, though I've never needed to 
revoke a cert.

Jacob Carlborg <doob me.com> writes:

On 2015-12-04 02:38, Brad Anderson wrote:

 It's unfortunate it didn't come a bit sooner because now the NSA
 knows I read the entire DUB JSON thread, much to my shame.

You can expect a bill for "Wasting Time" in the mail anytime soon now :)

-- 
/Jacob Carlborg

David Nadlinger <code klickverbot.at> writes:

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:
 https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on

 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

Thanks!

Also displays as https in Chrome now.

 — David

Saurabh Das <saurabh.das gmail.com> writes:

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:
 On 11/24/2015 10:59 AM, David Nadlinger wrote:
 On Monday, 23 November 2015 at 20:55:32 UTC, Walter Bright

 wrote:
 [...]


 proper
 [...]


 fully https!
 There are a number of issues with how SSL is set up on the

 server, from
 misconfiguration and/or outdated software:
 

 https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on
 Compare this e.g. to issues.dlang.org, which achieves a solid

 A grade (although
 it uses a SHA-1 intermediary certificate, which will lead to

 issues soon):
 

 https://www.ssllabs.com/ssltest/analyze.html?d=issues.dlang.org&hideResults=on
   — David

 https://www.ssllabs.com/ssltest/analyze.html?d=dlang.org&hideResults=on

 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

This is great.

Can the certificate also be used for forum.dlang.org? I get a 
warning when I visit https://forum.dlang.org

deadalnix <deadalnix gmail.com> writes:

Forum widgets are broken on the home page.

mattcoder <stop spam.com> writes:

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:
 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

This is what I get when I try: https://www.dlang.org/

"Your connection is not private

Attackers might be trying to steal your information from 
www.dlang.org (for example, passwords, messages, or credit 
cards). NET::ERR_CERT_COMMON_NAME_INVALID"

Matheus.

Adil Baig via Digitalmars-d-announce writes:

+1 Same error. This part may help :

This server could not prove that it is *www.dlang.org
<http://www.dlang.org>*; its security certificate is from*dlang.org
<http://dlang.org>*

You will need a wild-card certificate (cheaper) or a certificate that
allows multiple domain names (more expensive, and probably not required)
for the cert to work.

Adil

On Sun, Dec 6, 2015 at 10:42 AM, mattcoder via Digitalmars-d-announce <
digitalmars-d-announce puremagic.com> wrote:

 On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright wrote:

 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

 This is what I get when I try: https://www.dlang.org/

 "Your connection is not private

 Attackers might be trying to steal your information from www.dlang.org
 (for example, passwords, messages, or credit cards).
 NET::ERR_CERT_COMMON_NAME_INVALID"

 Matheus.

Steven Schveighoffer <schveiguy yahoo.com> writes:

On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce wrote:
 +1 Same error. This part may help :

 This server could not prove that it is *www.dlang.org
 <http://www.dlang.org>*; its security certificate is from*dlang.org
 <http://dlang.org>*
 *
 *
 You will need a wild-card certificate (cheaper) or a certificate that
 allows multiple domain names (more expensive, and probably not required)
 for the cert to work.

Or redirect www.dlang.org to dlang.org

-Steve

Marc =?UTF-8?B?U2Now7x0eg==?= <schuetzm gmx.net> writes:

On Sunday, 6 December 2015 at 14:17:18 UTC, Steven Schveighoffer 
wrote:
 On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce wrote:
 +1 Same error. This part may help :

 This server could not prove that it is *www.dlang.org
 <http://www.dlang.org>*; its security certificate is 
 from*dlang.org
 <http://dlang.org>*
 *
 *
 You will need a wild-card certificate (cheaper) or a 
 certificate that
 allows multiple domain names (more expensive, and probably not 
 required)
 for the cert to work.

 Or redirect www.dlang.org to dlang.org

 -Steve

That won't help if someone already starts at 
https://www.dlang.org/ .

Steven Schveighoffer <schveiguy yahoo.com> writes:

On 12/6/15 11:32 AM, Marc Schütz wrote:
 On Sunday, 6 December 2015 at 14:17:18 UTC, Steven Schveighoffer wrote:
 On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce wrote:
 +1 Same error. This part may help :

 This server could not prove that it is *www.dlang.org
 <http://www.dlang.org>*; its security certificate is from*dlang.org
 <http://dlang.org>*
 *
 *
 You will need a wild-card certificate (cheaper) or a certificate that
 allows multiple domain names (more expensive, and probably not required)
 for the cert to work.

 Or redirect www.dlang.org to dlang.org

 That won't help if someone already starts at https://www.dlang.org/ .

I'm surprised it wouldn't. I wouldn't think a redirect would need to be 
encrypted.

-Steve

Kapps <opantm2+spam gmail.com> writes:

On Monday, 7 December 2015 at 14:38:39 UTC, Steven Schveighoffer 
wrote:
 On 12/6/15 11:32 AM, Marc Schütz wrote:
 On Sunday, 6 December 2015 at 14:17:18 UTC, Steven 
 Schveighoffer wrote:
 On 12/6/15 3:29 AM, Adil Baig via Digitalmars-d-announce 
 wrote:
 +1 Same error. This part may help :

 This server could not prove that it is *www.dlang.org
 <http://www.dlang.org>*; its security certificate is 
 from*dlang.org
 <http://dlang.org>*
 *
 *
 You will need a wild-card certificate (cheaper) or a 
 certificate that
 allows multiple domain names (more expensive, and probably 
 not required)
 for the cert to work.

 Or redirect www.dlang.org to dlang.org

 That won't help if someone already starts at 
 https://www.dlang.org/ .

 I'm surprised it wouldn't. I wouldn't think a redirect would 
 need to be encrypted.

 -Steve

It does. Otherwise you could bypass HTTPS entirely by replacing 
the redirect page with a non-encrypted copy of the dlang website 
with whatever modifications you like.

Chris Wright <dhasenan gmail.com> writes:

On Mon, 07 Dec 2015 14:48:52 +0000, Kapps wrote:
 On Monday, 7 December 2015 at 14:38:39 UTC, Steven Schveighoffer wrote:
 I'm surprised it wouldn't. I wouldn't think a redirect would need to be
 encrypted.

 -Steve

 
 It does. Otherwise you could bypass HTTPS entirely by replacing the
 redirect page with a non-encrypted copy of the dlang website with
 whatever modifications you like.

Well, only if you're trying to protect against MITM attacks. If you're 
only worried about people packet sniffing, you can redirect from an 
unencrypted page without a care.

In a situation like this, where approximately no sensitive information is 
going back and forth, MITM isn't much of a concern (and packet sniffing 
isn't, either, for the most part, except if you're logging in with a 
password you reuse elsewhere).

Kapps <opantm2+spam gmail.com> writes:

On Sunday, 6 December 2015 at 08:29:07 UTC, Adil Baig wrote:
 +1 Same error. This part may help :

 This server could not prove that it is *www.dlang.org 
 <http://www.dlang.org>*; its security certificate is 
 from*dlang.org <http://dlang.org>*

 You will need a wild-card certificate (cheaper) or a 
 certificate that
 allows multiple domain names (more expensive, and probably not 
 required)
 for the cert to work.

 Adil

StartSSL allows for one subdomain on their free plan (which is 
generally the www subdomain). Letsencrypt allows for I think 5 
atm as well.

lobo <swamplobo gmail.com> writes:

On Sunday, 6 December 2015 at 05:12:29 UTC, mattcoder wrote:
 On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
 wrote:
 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

 This is what I get when I try: https://www.dlang.org/

 "Your connection is not private

 Attackers might be trying to steal your information from 
 www.dlang.org (for example, passwords, messages, or credit 
 cards). NET::ERR_CERT_COMMON_NAME_INVALID"

 Matheus.

This is what I get on firefox;

This Connection is Untrusted

You have asked Firefox to connect securely to www.dlang.org, but 
we can't confirm that your connection is secure.

[snip]...

Technical Details

www.dlang.org uses an invalid security certificate. The 
certificate is only valid for dlang.org (Error code: 
ssl_error_bad_cert_domain)

bye,
lobo

=?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig rejectedsoftware.com> writes:

Now also certified (Let's Encrypt made this really straight forward):

https://code.dlang.org/
https://forum.rejectedsoftware.com/
https://vibed.org/

All pass with an A for the ssllabs.com test. I'll also setup default 
HTTP->HTTPS redirects.

Basile B. <b2.temp gmx.com> writes:

On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
wrote:
 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

https://www.youtube.com/watch?v=OqkYr5uIreg&feature=youtu.be&t=49s

Basile B. <b2.temp gmx.com> writes:

On Friday, 11 December 2015 at 21:22:06 UTC, Basile B. wrote:
 On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
 wrote:
 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

 https://www.youtube.com/watch?v=OqkYr5uIreg&feature=youtu.be&t=49s

we're safe...

Basile B. <b2.temp gmx.com> writes:

On Friday, 11 December 2015 at 21:24:07 UTC, Basile B. wrote:
 On Friday, 11 December 2015 at 21:22:06 UTC, Basile B. wrote:
 On Wednesday, 2 December 2015 at 22:17:20 UTC, Walter Bright 
 wrote:
 Dlang.org gets an "A" now! Thanks to Jan Knepper's efforts.

 https://www.youtube.com/watch?v=OqkYr5uIreg&feature=youtu.be&t=49s

 we're safe...

I hope you get the irony...