A river that needs crossing political and tech blogs - On the political side, there is arrogance and ignorance, on the geek side there is naivety and over- complexity

My videos are on these two youtube channels visionontv 3,832,876 views and undercurrents 22,689,976 views


Enter your email address:

« Back

Why indymedia has the "site is untrusted message"

Have you always wondered why IMC sites have the horrendous go away this site is dangerous message in most web browsers. Its because of this:

----- START Explanation from ****, **** -----

Security is a two-way street. When I go to a web site I have to prove to the web site that it's really me before the web site gives me access to anything private or restricted (such as access to my email). The most common way that is done is via a login in which I provide a username and a password. Because I supply the correct password, the server knows it really is me, because I'm the only one who knows my password.

But how do I know that the server I'm going to really is the server I want to go to? Just because I type https://docs.indymedia.org/ into my browser, doesn't mean that the server really is the Indymedia server that I think it is. Any number of things can happen via the Internet between my computer and the server I'm connecting to that might fool my computer into thinking I'm connecting to docs.indymedia.org when in fact I'm connecting to someone else's server specifically setup to look like the Indymedia server. If that were to happen, I might type in my username and password on this stranger's server that is acting like docs.indymedia.org, essentially handing over my identity to a stranger.

The purpose of security certificates is to ensure that the site I'm connecting to really is the one run by Indymedia.

Unfortunately, the technology for setting up this system is fundamentally flawed. It works like this:

* most major browsers, even free/open source ones like Firefox, are pre-configured to trust a pre-defined set of for-profit corporations to verify the identity of all web sites on the Internet.

* web site maintainers are expected to pay $75 or so to these corporations in exchange for a digital certificate verifying that we are who we say we are.

* once this digital certificate is installed on the web server, browsers will access the secure web site without any errors.

If you don't pay $75 for the certificate, then most people will get a security error. There's a word for a setup like this. It's called a "racket."

Rather than play this racket, Indymedia uses cacert.org to sign it's security certificates. cacert is a nonprofit organization that signs certificates for free. cacert is not pre-installed on most browsers, however, you can install it by following the directions here: http://wiki.cacert.org/BrowserClients If you install the cacert certificate, your browser will automatically trust all indymedia web sites that have been signed by cacert, so you will no longer get any error messages when you access them. However, in addition, your browser will trust *all* web sites signed by cacert (which could be a good thing or a bad thing depending on how cautious you are).

----- END Explanation -----

So, this addresses the "problem" that many of us experienced for many years. Its actually a nice opportunity for political education!

However, my understanding is that since last summer, even this explanation won't completely address the problem with the global site... I consulted with a few people offlist before responding to this because I didn't want to add to the confusion. It appears that our security certificate for the global server has explicitly been revoked – see: https://lists.indymedia.org/pipermail/imc-tech/2011-June/0602-g4.html It appears that this may have taken place in conjunction with the conflicts in the UK group. So, even if you import the cacert certificate to your browser (following the instructions below), you may still get a problem connecting to the site. I'm not sure if this means that we can never again have a viable certificate through cacert or whether we have to purchase one from the racket that **** refers to?

Hope this is helpful, ****

Trackback URL: