The Guardian also open-sourced a test SSL cert

[+] ctz|12 years ago|reply

  Issuer: C=GB, ST=London, L=London, O=GU, OU=tech, CN=*.int.gnl/[email protected]  
  Subject: C=GB, ST=London, L=London, O=GU, OU=tech, CN=*.int.gnl/[email protected]

This isn't the Guardian's certificate. It's self-signed, for starters.

[+] vxxzy|12 years ago|reply

This is just a self-signed cert.

[+] untog|12 years ago|reply

Before everyone gets hysterical, please vote ^^^ that comment up. It's a self-signed cert, it is not used in production:

https://news.ycombinator.com/item?id=6875023

[+] sgtpepper|12 years ago|reply

They updated it with this comment

> this is a TEST key for local development - NOT an important key

[+] quasse|12 years ago|reply

HTTPS does not seem to be properly configured on their servers anyway, I get an "You attempted to reach www.theguardian.com, but instead you actually reached a server identifying itself as *.a.ssl.fastly.net." error when trying to connect over HTTPS.

That's interesting because they do have content protected by a sign in system. Are they just not using HTTPS for that? I kind of expected more from the Guardian.

[+] lotsofcows|12 years ago|reply

It's a CDN. CloudFlare operates the same way.

[+] unknown|12 years ago|reply

[deleted]

[+] clone1018|12 years ago|reply

Wouldn't this allow someone to do a full man in the middle attack with a compromised server/dns server?

[+] pritambaral|12 years ago|reply

If it were the actual cert they're using, yes.

[+] anilshanbhag|12 years ago|reply

So now anyone snooping on visitors to Guardian's site can decrypt the communication. Don't see why anyone would waste time on this given that there is no 'money' involved.

13 comments