[sword-devel] Mailing list archives are insecure!

pinoaffe pinoaffe at gmail.com
Sat May 3 09:37:59 EDT 2025 

Hello, 

David Haslam <dfhdfh at protonmail.com> writes:
> It remains the case that the list archive / server has an insecure connection that uses only HTTP.
>
> We should upgrade it ASAP to use HTTPS to avoid all the Browser
> Warnings!
Do you *still* not understand what's going on?

> So are you saying that nobody at CrossWire cares a diddly squat that
> strangers can connect straight to the archives without having to login
> via a secure connection?
Based on this mail, it definitely appears so.

> With all the kerfuffle/hilarity about my use of Leo, we seem to have
> lost sight of the main point!
No, the main point is that you used an "AI" predictive text generator
and trusted it too much, that you therefore opened an incorrect URL, and
that you completely misunderstood what was going on when faced with a
warning.  You then sent several overly alarmist messages, and didn't let
others lessen your misunderstandings.

The mailing list archives are accessible through both http and https,
and when accessed through https the server serves up a correct
certificate for the crosswire domain, just not for all of its
subdomains.  If you therefore use an improper subdomain to access the
link, you will receive a valid certificate, it just won't match the
(incorrect) subdomain.  This is not a security issue, it might even have
the happy side effect of getting people to use the correct URL.

Furthermore, even if the webserver did not listen to arbitrary subdomain
request, anyone could set up a reverse proxy and mirror the content
(including SSL connection) on any domain (say, stop-using-llms.org) -
users would rightly be met with a warning, but there would be no
security issue on the crosswire site.

Kind regards,
pinoaffe

PS: *please* stop using leo (and similar "AI" "agents"), especially when
    looking up basic information or concepts.  Just use whatever search
    engine you like instead.  LLMs are just text predictors, and if the
    answers they give you happen to be correct that's purely due to
    coincidence.

More information about the sword-devel mailing list