|
Certificate File: ca.crt (1k)
Alternate (DER format): ca-der.crt (1k)
This link makes mhn.org a trusted root certification authority. All other mhn.org, yetta.net and related secure sites are signed by this CA. If you install this, then you won't get the certificate error message when you visit our secure web pages, or when you try to use IMAP/SSL or POP3/SSL in Outlook.
The reason we use our own CA certificate is simply that since we're non-commercial, we don't want to pay hundreds of dollars to buy a new certificate for each of our secure web or e-mail servers (we have several). Normally, in a commercial environment, we would pay a certifying authority to do an internationally accredited hand-waving rain dance where they verify the authenticity of our authenticity. But because we have no budget, in this case the only entity claiming we're us is us. Due to the nature of SSL, the only way we can do this without third-party involvement (read: payment) is by granting ourselves the ability to certify anyone as anything (hence, "trusted root"). We then use our trusted root CA to certify ourselves as ourselves. [Edit: This was written in 2001. Now that it's 2011, certificates are a lot cheaper, so we are only keeping the root CA active out of ideological principle - the ideology in this case being laziness.]
If you're concerned about the high level of trust this implies, you're probably right. If something went wrong, then just anyone would be able to certify any web site. Perhaps this page is being sent to you right now by a compromised web server that wants to hijack your session so it can steal all your future high-value mhn.org encrypted traffic. If so, then for heaven's sake don't click on the link! Of course, there's really no way for you to know if this is happening. We could tell you that if you have the correct certificate, then its SHA1 thumbprint should be 07 d9 3a 44 04 43 af 5d fd 9e 63 a2 c0 b7 80 39 eb 8c 83 53, but if they can send you a fake certificate they they could fake this page too. The fiends!
Or perhaps you're concerned that the evil geniuses here at mhn.org want to get our fingers into your browser so that we can make you trust our compromised versions of other web sites for unknown nefarious purposes. Maybe we want to subvert your Windows Update channel and send you patches that crash your computer instead of fixing it! (Er, except...well, never mind.) [Edit: This hasn't improved much in ten years.]
To this, all we can say is that if you really don't trust us, then please don't install the certificate. You'll just have to keep clicking on the error message, and not use POP3 or IMAP over SSL. But keep in mind that we're only asking you to trust us as much as you already trust the National Retail Federation, NetLock Kozjegyzoi Tanusitvanykiado, United Parcel Service, Saunalahden Serveri, or Equifax (all of which are preinstalled in Internet Explorer 6.0). And if you're doing this because you want to use the POP3 or IMAP capability, then you should probably know that we already read your e-mail whenever there's nothing good on television. You are, after all, storing it in our basement. [Edit: We've stopped doing this because we are living in the future now, so we have smartphones that run Angry Birds and Peggle and Plants vs Zombies. This makes boredom much less of a problem for us.]
If you decide to install the certificate, just click on the link, and something useful will happen. If it doesn't, try the second link. On Windows, you have to manually select the certificate store and choose "Trusted Root Certificate Store."
Author: graham@mhn.org
Last Updated: 6/24/11