Slashdot Mirror

Well, there's CAcert, but they are not listed as a trusted CA in any browser. StartSSL, which is a commercial company, issues certificates for free and they are trusted by Mozilla browsers currently. But as far as I know, if you want a cert that's trusted by default in all modern browsers, you'll need to pay a few bucks.

2. They look like errors. They're not errors, they're warnings.

A bad SSL certificate is an error. These types of rationalization are simply born of outright laziness coupled with gross ineptitude.

Especially since you can even get free ssl certificates from people like http://www.startssl.com/?app=1

http://www.startssl.com/

Except you can get it for free.

And it's not recognised by Internet Explorer, so you still have to click through scary dialog boxes.

You sure don't have a bookmark there if you haven't visited it before.

Fair enough.

Which also implies two things: Either every self-signed SSL site I visit will be dropping a cert permanently into my cache (and what happens when that expires?), or it's possible for certs to expire (either their date expires, or my cache purges them for inactivity).

In the first case, that would work, but it bothers me -- though unlikely, it's possible someone could set up a DoS which redirects to an infinite number of subdomains (each with their own cert), thus filling up my disk with useless certs. (With normal SSL, I can safely drop a cert from the cache, as long as I keep the known-good root certs.)

In the second case, every time a cert expires, it's possible for me to be pwned. I'll agree that's not often, but it does bother me.

While I'm at it, I should point out another potential problem: SSH does exactly what you're suggesting, and I do often simply accept new SSH host keys. The problem arises when an SSH host key changes, for whatever reason -- you reinstalled the OS, or you upgraded and Debian killed the key (to clean up after the openssl vulnerability), or whatever.

I think at this point, there would still be a problem of a large number of false positives -- of people needing new certs, for whatever reason, and if they're too cheap to pay $20 (or nothing), how likely is it that they'll be able to properly manage their own little CA?

Which can leave you in the uncomfortable situation where some forum site you like has had to generate a new cert. Do you trust the new cert? With real SSL, yes, because the CA has already done the checking for you. With this, you have to either assume you're MITM'd (and check it from somewhere else), or you have to assume the site admin screwed up (in which case, you're open to being MITM'd again, and may as well have stuck to vanilla HTTP.)

You probably need to install the intermediate CA.

Or $0/year, but that seems to be lost in the hysterics right now.

So yeah, got any links to these free root authorities?

http://www.startssl.com/

Getting a cert costs more then the entire freaking hosting!

GoDaddy certs cost $20 or so a year. Good hosting costs that much per month.

StartSSL provides free certificates, and they're included in Firefox.

StarSSL Free certificates with the CA included in Firefox. Not yet in IE, but IE will give you the same warning than a self signed certificate

Shikaku pointed out further up that there's StartSSL... FF3 accepted their certificate fine when I visited (although, honestly, other than a very quick visit to their page, I haven't really looked at it - perhaps the free certificates they offer aren't accepted... no idea)

http://www.startssl.com/ Except you can get it for free.

StartSSL offers free certificates, and their root cert is included with Firefox.

As soon as CACert improves its management system so it can pass Mozilla's auditing process, it can be included in Mozilla products. For now, you can use a free SSL certificate from StartSSL. You can also buy a cheap SSL certificate from RapidSSL Online that is recognized by all popular browsers.

For those sites, buying a certificate is possible, but the costs are high compared to the gains (as this is *only* about protection of the data, not about "being sure this is site XY). Based on the certificate IDs/hash it's possible in this environment for anyone to compare whether the certificate is a trustworthy one, or not. The certificate identification is, in this case, possible.

I don't understand this. You want to be sure that the data transfered is protected, but you're happy to have it redirected to any site.

As to the cost/benefit, how about a cert from startssl? This has the cost of $0 and the benefit of being supported by Firefox. It's not supported by IE unless the user installs a root cert by hand, but then it wasn't IE you were complaining about. Firefox actually seems to be ahead of IE in this regard.

The most likely cause is, that your installation isn't complete and the CA chain sent out by your server is missing something. Check the FAQ page and/or installation instructions for more information.

The most likely cause is, that your installation isn't complete and the CA chain sent out by your server is missing something. Check the FAQ page and/or installation instructions for more information.

Use a free cert from http://startssl.com/, whose root is already in Firefox 2 and 3. Yeah, this won't help with IE (see https://www.startssl.com/?app=25#11), but you gotta start somewhere.

Use a free cert from http://startssl.com/, whose root is already in Firefox 2 and 3. Yeah, this won't help with IE (see https://www.startssl.com/?app=25#11), but you gotta start somewhere.

What about StartSSL? FREE certificates supported by Firefox and Thunderbird!

IE7 is worse, because its user interface does not ask the user if they want to add the site as an exception as Firefox 3 does. The end result is you get the big, scary warning in IE7 every time you visit the site, but you get it only once in Firefox 3 because you need to add the exception before it will let you proceed to the site.

Anyway, get a free cert from StartSSL and the problem is solved.

StartCom is free and already supported by Firefox.

Mozilla just wants CAs to offer some level of accountability and identity verification. Their CA certificate policy is explicit in its requirements.

I don't see the point in having Verisign certificates eveywhere, but I also don't see why you should blindly trust a Robot Certificate Authority like CACert, without further assurances.

They offer certs with domain validation for free. There are gentle attempts to upsell you to higher levels of validation, but their domain validated certificates work without errors. Look here.

If you want certs that are validated to your business' identity (instead of just your domain) and don't indicate in the DN that they were free, there is a small charge.

StartCom Ltd is a trusted root authority in Firefox 3 (and their earlier root cert is in Firefox 2 and Safari 3). They provide free SSL certificates at http://www.startssl.com/

Look at this next time your contract expires, concerning at least for your internal sites: https://www.startssl.com/?app=5

StartCom has currently two CA root and the older one has been around for a while already. Speaking about the older one, Mozilla, Apple and KDE (most likely some others) ship them. The newer root which is now the default served from https://www.startssl.com/ is in Mozilla since last year and in Apple soon to come. Microsoft and Opera don't support the StartCom CA root for now. Concerning price vs. value ratio (if IE isn't of particular concern) StartCom offers domain validated certificate for free (Class 1) and upgrade to Class 2 for a small fee for identity and organization validation each. Class 2 allows for unlimited certificates (for the subscriber) and the combining of unlimited validated domains, sub domain names and wild cards within the same certificate or in different certificates.

Running a certification authority has many, many responsibilities. Since open source and community related structures are handled most of the times by volunteers, such a CA is almost not possible. There are things at a CA which can't wait for some volunteer having the mood to do it. CA policies don't allow much playroom, but requires strict adherence to it.

StartSSL of StartCom is the closest it can get what pricing and openness concerns.

Except the StartCom CA! http://www.startssl.com/ ( http://cert.startcom.org/ )

Perhaps this is also an answer to the efforts of the StartCom CA. At this article there is a nice explanation about this...Which doesn't mean, that StartCom can't provide the necessary extensions in the future. With 43 % of market share in Germany and other European countries, Firefox is far away from suffering on the hands of Verisign and MS!