在 Tails 0.10 釋出的同一天,我們的官網也開始使用商用的 SSL 憑證。這個新的憑證取代了之前舊有的非商業CACert certificate authority憑證。

What are SSL certificates?

Using HTTPS instead of plain HTTP to connect to a website allows you to encrypt your communication with the server. But encryption alone does not guarantee that you are talking with the right server, and not someone impersonating it, for example in case of a man-in-the-middle attack.

SSL 憑證正試圖克服這個難題, SSL 憑證通常由憑證授權機關所發以證明某個伺服器的身份。當用戶利用瀏覽器訪問某網站時,如果瀏覽器信任這個憑證單位的話,即會可自動相信它的 SSL 憑證。

商用憑證機構靠出售 SSL 憑證為生,它們往往為大多數瀏覽器所自動信任。其它的非商業授權機構如 CACert,則需要安裝作業系統或是用戶在訪問該網站時手動來避免顯示安全警告訊息。

Weaknesses of the system

But this trust system has proven to be flawed in many ways. For example, during 2011, two certificate authorities were compromised, and many fake certificates were issued and used in the wild. See Comodo: The Recent RA Compromise and The Tor Project: The DigiNotar Debacle, and what you should do about it.

It is clear for us that getting an commercial SSL certificate is not enough to strongly authenticate our website, and for example authenticity of our releases. That's why we always propose you stronger ways of authenticating our Tails release using OpenPGP signatures.

Why get a commercial certificate then?

我們決定採用商用證書有以下的原因:

  • It makes it harder to setup a simplistic man-in-the-middle attacks against the people who didn't use HTTPS so far to visit our website.
  • 我們的網站現在只有透過 HTTPS 訪問,例如這對於想在論壇上張貼資訊更具保密的重要。