Slashdot Mirror

The main issues as the moment is that getting a certificate is complicated, expensive and then dealing with setups is not always straightforward. Now, that is just for a basic Apache server. Create scenarios where you have load balancers, Apache servers serving multiple domain names and applications servers fronted by Apache and you have another set of problems.

Which could all be mitigiated.
- Free CA (like CACert or StartCom)
- Server Name Indication (serving several virtual domains, each with its own certificate, but all mapping to the same IPv4 address)
- IPv6 (enabling you to assign 1 different address for each virtual domain)
etc.

But that would require work. Lots of it. And rethinking the infrastructure and reorganising it in a way that actually works better and is more forward upgradeable.

So yeah, expect HTTP to day in the 20s...
2120s...

To be effective, end to end email encryption needs to be view as something more than just "a bonus for more sophisticated users" like the EFF is treating it. As long as only the sender or receiver is sophisticated enough to use email encryption, the option becomes worthless. Encryption only can be used when it becomes easy enough that both sender and receiver choose to use it.

Take the Thunderbird email client for example, at first start the program provides a setup wizard to take you through the items that are critical in using the program. As part of that, they even partner with companies like gandi.net to help you create a new email account if you don't already have one. But at no point do they partner with a Certificate Authority to encourage you to get a personal certificate for S/MIME configuration. Mozilla Foundation seems to never consider it a critical step. While they provide a knowledge base article of S/MIME Certificate providers (including free ones such as StartCom, Comodo, and secorio), this article is not kept up to date and none of the information is provided directly in Thunderbird itself. And the email account provider that the Mozilla Foundation has partnered with (gandi.net) does not even provide S/MIME personal certificates as an option even as a payed option despite also being a certificate authority.

If the attitude of email client software developers was that IMAP over SSL and SMTP over SSL should be provided as a third-party add-on "for more sophisticated users" then we would be in even worse shape today. Fortunately, these are considered options that should be easily access-able to everyone. We need to change how we think about presenting end to end email encryption to notices and start treating it as a critical offering instead of a secondary/side option.

SSL certificates are not the problem: https://cert.startcom.org/

The problem is that some browsers (mainly IE on XP) don't support SNI, so your website needs a dedicated IPv4.

If you manage the machine, you can get a VPS with a dedicated IP for almost nothing (I pay $3/month), but managed web hosting is another issue.

Technically you only need a different listener/port... so for example https://example.com:443 and https://example.org:12345 would work fine as long as :443 only presented the example.org cert and 443 the example.com one. We just don't want to have to use non-default ports do we...

FYI: the https://cert.startcom.org/ site is, as far as I know, somewhat deprecated. The more up-to-date URL is https://www.startssl.com/

SSL certificates are not the problem: https://cert.startcom.org/

The problem is that some browsers (mainly IE on XP) don't support SNI, so your website needs a dedicated IPv4.

If you manage the machine, you can get a VPS with a dedicated IP for almost nothing (I pay $3/month), but managed web hosting is another issue.

here you go :)

I found that setting facebook to always use https has resulted in far fewer lame apps harassing me. For some reason all the worst ones seem to refuse to work in https mode.

I'm sure this will change. It's not like it's hard to get a free SSL cert. What you're seeing is that bottom-feeders, like spammers, sometimes take a while to catch up to the tech, but once a significant portion of the userbase is SSL, they will start taking advantage of free certs.

I spent a lot of time dealing with virtual hosting and SSL and only the latest patched versions of IE7 & IE8 support embedding the domain name in the SSL request. Mozilla does support this, but seems to attempt a standard SSL request first (not sure which version I was testing with now - was the latest at the time). Webkit based browsers seemed to be the only ones that properly send the domain upon every SSL connection attempt. SSL is designed to allow but not require a header for the domain which is necessary if the server is virtual hosting using a separate SSL certificate for each domain hosted. I believe it is possible to combine the SSL certificates for each domain hosted and send the combined cert to the client regardless of which domain is requested, however this requires a much more expensive SSL cert. For those of us wanting free certs this really isn't an option. As far as the authors argument that SSL certs are expensive, they are not. You can get a perfectly good and perfectly free cert from StartCom, and possibly other vendors as well. The true reason SSL is not often used is certainly due to server side processing cost. Caching is not generally relevant since most of the expensive resources are images which can be downloaded using a non-SSL connection within the SSL encrypted page without worrying about man in the middle attacks. What is truly sad is that Java does not yet support this domain SSL header yet - meaning if you are using the language to write your web server, you have to wrapper each SSL connection to capture the header yourself. Common Snorkle, what are you waiting for?

Free certs are available, and every bit as (in)secure as the paid standard ssl certs.
http://cert.startcom.org/ [startcom.org]

Virtual hosts are only a problem if all the following are true:
You use IE on XP on IPv4.
Everyone else but IE on XP now supports SNI. http://en.wikipedia.org/wiki/Server_Name_Indication
IPv6 makes name based virtual hosting unnecessary.

I think personally I'll give IE on XP on IPv4 another year or two before I'll stop supporting that combo on my personal sites. Sorry MS, but you don't get to hold the internet back forever.

Free certs are available, and every bit as (in)secure as the paid standard ssl certs.
http://cert.startcom.org/

The "annoying users when they expire" is a symptom of the main problem.

Well, actually it's 2 problems.
For small hosters, IE(any version) on XP doesn't support SSL/TLS on virtual hosts. Everybody else does. http://en.wikipedia.org/wiki/Server_Name_Indication

For large hosters, SSL key distribution and updates becomes a problem when using large server farms or CDNs. Doing SSL in hardware on load balancers solves this for server farms, while CDNs are a more difficult problem.

Those are the main reasons. Latency and CPU usage are not deal-breakers today, though they are a factor.

CAcert withdrew their request for their root cert to be included in Firefox. Talk to CAcert about it.

StartCom free SSL certificates now seem to work in Internet Explorer, Firefox, and Outlook out of the box. It looks like they're the best bet for free certs that won't display warnings in popular products.

Incorrect. Firefox, Thunderbird (you can use Startcom free SSL certs for your POP3/IMAP/SMTP servers too), IE as of a Sept, 2009 (?) root certificate update, Chrome, Safari, and Opera all work just fine. They don't list Opera, but I just tested on my own sites, it works just fine. With a little OpenSSL work, you can even use Startcom SSL certs with Cisco SSL-based VPNs.

http://cert.startcom.org/

There is no reason to ever have a self-signed cert any more.

Invalid argument: Free SSL certificates: http://cert.startcom.org/.

eff.org uses a certificate from a CA that I marked as untrusted during the scandal over certificates issued without verification that Eddy Nigg uncovered in 2008 ( https://blog.startcom.org/?p=145 ). He was able to get a certificate for mozilla.com, no questions asked.

So out of the frying pan and into the fire. Is the link in the OP REALLY from eff.org? Or is it the world's most elaborate phish yet?

There are free encryption tools out there.

The last time I checked, SSL certificates that chain back to a CA in all the major browsers weren't free.

http://cert.startcom.org/

Startcom offers free ssl certs and they are in all the browser roots now (although only recently added by microsoft).

that said, encryption of web traffic adds two significant bits of overhead:

• encryption takes CPU time. on busy web sites this really adds up.
• by default, most browsers won't cache anything that is ssl-encrypted. This really adds up too. Browsers warn you if some elements on an encrypted page aren't encrypted, so you can't mix elements easily.

$15? You can get one for free! And their root certs are valid in Firefox and IE.

StartSSL's free certificates are recognised by the major browsers by default.

Not by IE, at least IE 7. And they are only issued to individuals, not to organizations or companies. And they are only valid for 30 days. Useless.

I pay a total of $30/mo and have two high speed connections to my house.

Connection 1 has 5 public IP's, 6mbit down / 1mbit up uncapped, I'm only using one of the 5 IP's. I've got commercial grade routing equipment at my house so I can use 'em all, but I'm natting behind 1 because I have more than 5 things on my LAN, and can't think of a policy to spread that over these IPs..... and I'm lazy.

Connection 2 is 4mbit down / 2 mbit up uncapped. It comes from work, so I could assign it a /24 if I wanted to be really ambitious. This connection is new, so I haven't figured out how to even begin utilizing the blasted thing! I presently just hook it into my switch on an unused VLAN.

Connection 3: to be perfectly honest, I'm typing this all from a 2.5mbit down / 0.3 mbit up wifi connection at a hotel. The NAT here is outside my control though.

My email account is via Gmail. So I'll bet I receive plenty of Spam, I just never see it. I consider Spam as much of a problem as SSH trolling or religious fundamentalists. I see none of these as technological problems at the core. I think you can really only fight them by starving them.

I get SSL certs for free whenever I want. Each of my ISP's give me 3 nines of reliable connectivity, and if I load balanced them (too lazy to figure that out ATM, it seems ;D) I could increase the combined reliability to 5 nines.

So for me, while I'm sure things could be improved, they all currently bottleneck at my desk. I'm certain it is the same for virtually everyone, if you look at things from the right perspective.

There was huge difference between the recent events and how they were handled. Full Disclosure.

The article is confusing, and the author declines to name the certificate issuer that's the problem. But the screenshot gives the details. It's PositiveSSL. He really did get PositiveSSL to issue him a Comodo-authorized cert in the name of "www.mozilla.com". Try this link and look at the certificate details.

It looks like certificates with this issuer information need to be rejected:

• CN = PositiveSSL CA
• O = Comodo CA Limited
• L = Salford
• ST = Greater Manchester
• C = GB

I loaded all current Comodo certificate revocation lists, and this bogus certificate has not been revoked.

Some Comodo CA root certificate needs to be removed from the approved list.

Not strictly true - Startcom do free certificates that Firefox accepts.

"What I really want is for there to be no charge for encrypted connections and EVERY web connection to be encrypted in a fashion that assures that only I and the party I am communicating with can read the communication. If i can be sure that the machine I am communicating with is the machine I think it is then that would be a nice bonus."

It's not a nice bonus, it's the only guarantee you're not broadcasting your data to a cracker/phisher/whatever. You almost may as well not bother with encryption otherwise. Sniffing attacks are (AFAIK) rare. DNS redirection seems to be quite possible right now.

In other comments there was an open CA mentioned that give away certs for free and have their CA certificate in ... here it is - http://cert.startcom.org/

The only reason that plaintext browsing should still exist, IMHO, is because we don't need security on everything and the extra processing overhead on large (or small) sites could be a killer.

Dunno whether CAcert has anything to do with StartCom, but they offer free basic SSL certs too. I use one for my personal site.

I'd like to have seen Firefox at least treat self-signed certs the same as regular HTTP - that is, at least make it look like a regular webpage with no SSL instead of throwing up a big warning - but with StartCom's certs already accepted in Firefox, you can at least get free SSL that way.

Unfortunately, Opera and IE don't seem to recognize StartCom as a trusted CA. This rather scuppers the idea of free SSL for all.

http://www.startcom.org/ provides free ssl certificates that are supported by firefox That's a free way to remove the scary dialog...

http://cert.startcom.org/

Company in Israel has the ideal to give out free certificates and last time I checked (about a year ago) they were on the brink of being accepted into the ranks of Verisign and similar companies (without the crookedness of course)

You could try http://cert.startcom.org/
They provide free SSL certificates I think. (Not tried them, YMMV etc)

You can get a free "personal" SSL cert from StartCom... And their root cert is included in Firefox, so no scary dialogs there.. Unfortunately, it's not in IE yet, though...

Not really for the OP but I wanted to mention StartCom if someone was looking for a free cert as opposed to a self signed one. http://www.startcom.org/

Well, the description of your history is correct in that, that when Cacert wanted inclusion at Mozilla, all alarm bells came on...So far so good.

But the Mozilla CA policy exists in some form since beginning of 2005 at the web site of Frank Hecker (President of the Mozilla Foundation). That was about when StartCom started its own authority. Since then many CAs were included and processed at Mozilla (See history), based on that policy, the very same policy which was eventually approved my Mozilla.

Therefore what I meant is, that already for over two years, Cacert could have been included - the very same way StartCom was. More than that, the Mozilla policy was created and defined in a way, which made it possible for Cacert and StartCom to comply.

However, I think that there are some real problems with community projects in order to have them comply even to the most basic requirements of CAs. This is one of the reasons, why I personally don't believe in the current structure of Cacert to be ever successful - even if it's a nice idea.

Go to http://cert.startcom.org/

CA Cert gets much of the attention in the discussion of open source CAs, but StartCom has made more progress in gaining browser support (and hence market acceptance). StartCom certs are supported by Firefox 2.0. CACert has been working on inclusion in Firefox for several years, and appears to be getting close. Mozilla has stepped up its staff effort to review certificate authorities for inclusion in Firefox/Mozilla, including CACert.

CAcert will NOT be in Mozilla at any time soon! At least not until they comply to the Mozilla CA policy. Try StartCom instead.

Wikipedia removed anything related about StartCom from it. They declared war on StartCom for whatever reasons, most likely there is a connection between CentOS/Cacert (and the wikipedia admins) and StartCom. StartCom produces amongst others a Linux distribution, but also runs the Free SSL Certification Authority.

What do you mean by free e-mail cert program? StartCom provides free S/MIME certificates and is also progressing to run a Web of Trust system.

Wikipedia removed anything related about StartCom from it. They declared war on StartCom for whatever reasons, most likely there is a connection between CentOS/Cacert (and the wikipedia admins) and StartCom. StartCom produces amongst others a Linux distribution, but also runs the Free SSL Certification Authority.

What do you mean by free e-mail cert program? StartCom provides free S/MIME certificates and is also progressing to run a Web of Trust system.

Mozilla and many other have included the StartCom CA. See the full list here: http://cert.startcom.org/?app=140

Thats really the reason why people dont use encrypted e-mail.. Nobody can make it free and simple without any hassle.

We already have a OpenSource friendly CA StartCom. http://www.startcom.org/ It would be nice is Mozilla included them and if Thunderbird automaticaly generate "Idenity unverified" certs for its e-mail users.

I dont know, maybe its not possible.. still it would be nice to shut down Verisign.

"Only a few weeks behind the release of RedHat Enterprise 5"? Whereas StartCom released its clone almost two weeks ago! However /. doesn't think it was news ;-) , but Linux-Watch did...

Except the StartCom CA! http://www.startssl.com/ ( http://cert.startcom.org/ )

Yeah, you have to import their root, but it is free!

http://cert.startcom.org/

The whole (except for the last sentence) blurb from this story was taken word for word from StartCom...

I've also seen a lots of posts from people saying that you can generate a self-signed cert for free. The problem with these self-signed certs is that you get a pop-up from your browser warning you that the cert isn't trusted.

It appears to me that cert.startcom.org is trying to do something different: They are handing out certs with them as the root authority and giving information about how to install their cert as acceptable by your browser. If enough people do this, then major browsers will "have" to start including startcom.org's certs in their distributions. Until that happens, you still get a reduced number of cert pop-ups because many different websites will be using the same "non standard" cert authority.

You will get all the cheapness of self-signed certs with all the security of a cert from verislime or thawte. After all, the only real security with regular certs is that the traffic between your broswer and the website is encryptied.

When you finally get to the site that is offering the certs (http://cert.startcom.org/) all you find is bad grammar and certs that aren't recognized by any browser (i.e. warnings pop up). It's admirable that the site wants to issue free certificates, but you won't find many surfers willing to trust them. Also, you can create your own certs with minimal effort, and you'll end up with the same thing.

enjoy StartCom