BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] free SSL certs from the EFF
- Subject: [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- Date: Thu, 20 Nov 2014 00:25:41 -0500
- In-reply-to: <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com>
- References: <546C4823.6060900@gmail.com> <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com>
Edward Ned Harvey (blu) wrote: >Tom Metro wrote: >> ...if the host name even sounds like a site that might sell things >> (e-commerce), they won't issue a cert. > > Huh? I use them for numerous companies, including e-commerce. > Where'd you hear that? Directly from them when I applied for a cert. Here: https://www.startssl.com/?app=39 It says: The StartSSL Free (Class 1) digital certificates...provide modest assurances and are meant to secure personal web sites, public forums or web mail. And when I applied for a cert for a domain with "shop" in the name, even though it had no e-commerce, they rejected it with: Thank you for requesting a digital certificate with us. However Class 1 certificates are not meant to be used for commercial activities or financial transactions according to our policy. For this purpose please consider upgrading to Class 2 or higher verification level. They're documentation could state this limitation more clearly. I explained to them the site had nothing to do with financial transactions, to which they responded: Unfortunately we can't control for which exact purpose you are/will be using the certificates. The rejection has been triggered by the 'shop' key word at your domain which is not allowed at Class 1 Free certificates. Financial institutions and e-commerce web sites must upgrade to a validated level. Thank you for your understanding. So basically if you sound like a store, you're out of luck. If you don't sound like a store, you can use the cert for whatever you want. Automation at its finest. (Not sure why they bother to have humans sending out and responding to the notices if they aren't empowered to override the automation.) > if I've been accidentally slipping through the cracks all these > years. Yes, you have. >> But EFF isn't stopping with merely making the certs free. You still >> have to jump though a few hoops with StartCom, and it sounds like >> EFF wants to add more automation to the issuing process to make it >> faster/trivial to add SSL to a site. > > I think when you say you have to jump through a few hoops with > startssl, you just mean you have to receive the validation email(s) > and either figure out how to generate your own CSR, or trust them to > generate the private key for you. And then you download the cert and > install it into apache (or whatever.) Yes. Plus pretty much every cert I've requested from StartCom has prompted one of their support people to email requesting additional identifying information. > Whereas these guys have the tool that basically automates all that > process. Yes. > They say it takes 1-3 hours. For me, it takes about 10 minutes, but > maybe I'm just good at it. 10 minutes seems perfectly realistic if you are already familiar with the procedure, have already set up an account with the CA, and are already familiar with the installation procedure on your web server. Provision a cert from Comodo through Dreamhost's panel, and the process similarly takes only about 10 minutes due to their automation and hand-holding. > They say their goal is 15-30 seconds, which is unrealistic. Probably. That apparently excludes setting up an account at the CA (which I'm guessing is still necessary) and installing their tool on your web server. As you observed, they seem to be leaving out some setup overhead. > (Side note) Historically, I've always thought, you need to generate > your own CSR in order to keep your private key private. But more > recently I'm thinking, This is the CA we're talking about. So what > if they have the private key. If they're going to attack you, you're > screwed even if they don't have the private key - because they can > perform a validated MITM attack, which is only a little more hassle > for them. (End Side Note) True. Unless the client is taking extra steps to detect a cert change, and even then who would suspect a new cert from the same CA as the original one they fingerprinted? However, if the CA is sloppier about handling your private keys than they are about securing your own, it potentially expands your attack surface. For example, your private key might reside on one of the CA's web servers as they process your request, even if the actual signing happens on a more secured back-end machine. That web server could get compromised, leaking your private key to a third party. > It looks like the main value they're talking about in that article is > the ACME automated process for identity validation (... and automated > installation). I wonder if existing CA's like startssl would be > unable to easily adopt a new automated process like that, because of > the fact that they're a CA they must stick to their existing > documented processes. I would assume that if StartCom sees this new effort as adhering to the same philosophy that led them to offer free certs themselves, that they'd adopt the protocol to make their service equally easy to use. What's less clear is whether StartCom will be motivated enough to invest in the work needed to adopt the new protocol. I don't get the impression that they've invested much in their infrastructure lately. Their site seems hardly changed in many years. > I'm also going to say - These EFF guys are a "new CA" which means > they're going to face the same problem that startssl faced in terms > of adoption. Having Mozilla in their corner already gets them a big chunk of the market. With Google's initiative to get HTTPS used everywhere, it seems likely they would get on board with Chrome. I don't think Microsoft or Apple would have any strong reason to reject this idea. Still, I'm surprised they couldn't find an existing CA to partner with, with StartCom being an obvious choice. If StartCom sees a viable business model in giving away entry-tier certs for free, and charging for higher featured certs, then probably one of the many hundreds of other CAs would also be willing to give that a try. It's quite likely that the launch isn't happening until Summer 2015 precisely because they know it'll take months to get their root cert widely propagated. -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/
- Follow-Ups:
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- References:
- [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- Prev by Date: [Discuss] free SSL certs from the EFF
- Next by Date: [Discuss] Revisiting VMWare ESX backup options
- Previous by thread: [Discuss] free SSL certs from the EFF
- Next by thread: [Discuss] free SSL certs from the EFF
- Index(es):