Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Who sells the least expensive SSL certs right now?

I think you're missing the point. More quotes from the bugzilla discussion:


> The problem is not them charging for revocations. If someone has lost
their key
> or got hacked, okay fine. Their own fault.
>
> The problem is that thanks to Heartbleed we now have potentially leaked
private
> keys (leaked due to circumstances outside of the control of anyone) and
thus
> insecure sites.
>
> Now with StartSSL charging for every single revoked certificate they are
> encouraging people to "eh, the chance my key got leaked is so low, I'll
just stay
> with my old certificate" thinking and behaviour.
>
> This is actively compromising the security of SSL and consumers (no one I
know
> checks the SSL vendor on certificates of sites they visit if there's the
lock icon and
> it says it is trustworthy). Therefor customers and site users expose
themselves to
> potential security risks while the browser ensures them they are
communicating
> securely with the website.


and another:

> Spreading **** certificates all over the place for free and then forcing
people to
> pay for the revocation of those certificates is certainly not doing any
good for
> security. I can't see any reason why startssl.com should be in the
truststore while
> cacert.org (which do not charge for revocation nor for anything else) are
denied
> the same status.


Now granted, these arguments are about whether slartssl should be in the
firefox keystore,
not about whether Bill should consider using startssl's free tier. But I
disagree that the
arguments are weak.


On Mon, Dec 22, 2014 at 10:55 AM, Edward Ned Harvey (blu) <blu at nedharvey.com>
wrote:
>
> > From: John Abreau [mailto:abreauj at gmail.com]
> >
> > As for StartSSL, a quick google search turns up some disturbing issues
with it.
>
> Bah.  That's a weak argument.  There is nothing secret about charging for
revocation, and I don't expect any other CA's to reissue certs for free
either.




--
John Abreau / Executive Director, Boston Linux & Unix
Email: abreauj at gmail.com / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org