Greetings!

*** Jonathan Lane [2021-07-21 18:47]:
>Is there a plan to get proper SSL certificates for the website?  I can't
>access them from either w3m or Firefox on my machine because of trust
>issues.

I do not know any free CAs that are both can by trusted by me and major
OS/browser vendors. And definitely won't play in those business (not
security) games. Major OS/browser vendors, being US-based,  were forced
to reject/remove all free CAs that are not under USA/NATO control to
create their own one (Let's Encrypt) under "proper" jurisdiction. Great
and very clever move indeed, because now the most part of the Web is
authenticated by single centralized USA/NATO-control entity.

Previously I used well-known CACert.org, but because of COVID they were
not able to access their datacenter to restore the interrupted
workability, so I was forced to choose another CA. Even with CACert.org
people were unsatisfied, because only minor OSes provide its certificate
out of box.

So what is the choice?
* Do not use TLS -- but certificate pinning could be done and it could
  be useful for security
* Do not use X.509 at all, but TLS relies on it.
* Paid ones -- no way. They are not about security, but business.
* Let's Encrypt -- clearly it can be used for authentication forging.
  So why bother? Encryption could be done anyway.
* Other CAs, like CACert.org -- majority of users will be still
  unsatisfied and CACert.org was down for a very long time.
* Self-signed certificate? Unlike Let's Encrypt with its very short
  lived certificates, that practically forbids (harms very much)
  certificate pinning usage, long-lived self-signed ones are much more
  convenient with TOFU+pinning usage.
* Issued by own CA? The same as self-signed, but just single convenient
  trust anchor for my various resources. My ca.cypherpunks.ru is also
  signed with my PGP key, having some Web-of-Trust paths.

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF