Slashdot Mirror
Cheap SSL Certificates for Small Websites?
zaqattack911 asks: "In the workplace today it is becoming more and more common for everyday applications to be accessible over the web. Just about all the booking and tracking systems at my job are handled via web-apps these days. Along with this trend, is the increased need for secure transactions over the web. Just about all of the apps on my webserver are going to be SSL only. Some of them are for internal use only, some for the outside internet to use. Is there a cheap alternative to getting your certificates signed? Self signing my certificates works of course, but just about all browsers make a big fuss about it. Verisign asks for about 400$ initially, and 300$ to renew a certificate every year. This seems like a scam to me, and I'd love to know if anyone knows of alternatives out there? Is there a way to get around the certificate signing business? I looked at a company called RSA Security which allows a company to 'self sign' and use their accepted signature. The website doesn't mention the price, and I'm sure it's not very affordable. What else is there?"
And put text in saying to click through the security warning. Most people will, anyway.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
a bunch of excellent geeks I know use entrust.
four-oh-four
They charge $199 for certificate, and have a pretty good service. I've been using them for years.
we use them for all of our commercial sites.
A year spent in artificial intelligence is enough to make one believe in God.
The stories /. has already had on the topic....
0 1/03/18/18 55230&mode=thread&tid=93
0 1/09/06/04 51218&mode=thread&tid=148
Why Are SSL Certificates So Expensive? by Cliff with 192 comments on Sunday March 18, @04:48PM
http://ask.slashdot.org/article.pl?sid=
Are FreeSSL Certs Worthwhile? by Cliff with 8 comments on Friday September 07, @11:50AM
http://ask.slashdot.org/article.pl?sid=
You can use it to create certs, and you can even add your organization to the browsers trusted organizations so the users don't get an error message.
Rackshack.net has a link to a $49 QuickSSL certificate. I haven't used them, but it sounds like a good deal.
Title says it all
There aren't really many options, because the browser has to recognize the signer, and the major browsers only recognize Verisign (and Thawte, which is also Verisign).
RSA is the company that started Verisign, so you can guarantee they'll not be of help.
If this is a situation with a limited client base, like a company, you can self-sign and send everyone your CA certificate and have them all import it into their browsers (all browsers support this, I believe). But what a pain.
I wish the news was better, but you're right -- it's a scam. The problem isn't technical; it's political.
I, for one, welcome our new Antichrist overlord.
Thawte may be worth looking into. They used to be a competitor to Verisign, although now I believe they are owned by them (what isn't?).
They have certs available for $199. Still not cheap, but better.
-Pete
Soccer Goal Plans
I say the same thing about signing my Java applets. Sun only puts Verisign or Thawte root certificates. So if you want to avoid your customers seeing some redicuouls
"Jesus!! this software is unsigned!!!"
message, then you gotta buy the certz. I am self signing right now. I would love if OSDN could have their own root certificate and let us public folks buy from them. Any malicious signers will be found out quickly so whats the big deal???
I think this signing thing is DRM in action. Nobody is realizing it yet.
I would just go for one of the thousands of web hosts that give you some sort of SSL package. Unless you need your very own certificate, they are definately the way to go for the small business because the host purchases the stuff and just charges you a small fee.
If this is not acceptable for your situation, then I am afraid you have to bite the bullet and front the money.
But don't get lost in the middle - remember the whole reason you are using SSL is for security. Whether the certificate comes directly from you or your webhost doesn't really matter as long as it is secure. That's why I would recommend that you let them pay for it and disperse the cost among their users.
If you had nuts on your chin, would they be chin nuts?
You can even get a free 30-day trial cert.
Tucows also does this:
s /
http://resellers.tucows.com/opensrs/certificate
Quite affordable plus you can become a reseller.
This is just kind of a question, really... Because you bring up an interesting one with the whole 'click-through instruction' thing: How effective are certificates and SSL, anyways?
If people accept any certificate because don't know what one is, and just want their effing content? If the sites using SSL are not keeping current versions, that is, are vulnerable to exploits anyways?
(Yet Another Certificate Selling Company)
Take a look at Domainmonger, they sell them for US$ 150.
Thwate is a Verisign company who used to charge lower prices for what ends up being a Verisign certificate. Last time I checked they were about half the price of Verisign. An alternative company is Baltimore Technologies. One of the main reasons to go with a known player is that their certificates are already in browsers, and they tend to do some background checking to ensure that your business is legit. Anyone can create SSL certs, it helps to be able to point to a name your customers will recognise, as a method to add credibility to your business.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
You can purchase a ridiculously cheap ($50) 128bit SSL cert, trusted by browsers from http://www.geotrust.com
All you need a valid credit card to get a
cert. The CA key is loaded in almost all of the browsers, the notable exception being Opera.
They do send a 'auth check' by emailing the domain admin contact you can select.
The entire ordering process (including filling out forms) takes less than about 5 or ten minutes.
This should SCARE you if you're relying on the security provided by Veri$ign and the root that ship with browsers. - pablos.
You may find what you're after over at http://www.cacert.com The creator of this website believes that trusting someone should be free, and is doing his best to make this happen.
There is a nice page, http://www.whichssl.com. Through the comparison tables there I found comodo's http://www.instantssl.com. I generated a demo certificate first and after I had no problems with it, I bought it. For $49 a 128 bit, not 40. Recommended.
At $49 a piece for standard certificates they're the cheapest my company could find when we went looking last month. So far I have no problems recommending them.
sig sig sputnik
comes with openssl. It even has a nice perl script to make it easy.
What Verisign and co have that you don't is their root certificates installed with the browsers by default. For internal use you should have no problem using your own certificates. For external use, where an existing business relationship exists (ie you aren't selling to the public, but to people who can trust your cert because they know who you are) it should take little more than a quick explanation.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
They are cheap and give you lot's of leeway on how you use your certificates with various URL's on your machine(s).
Sure we all hate VeriSign for all kinds of reasons.
However when you get an SSL Certificate from VeriSign and some of the other Cert signers out there, you are getting two things.
The most commonly understood thing you are getting is the encryption thats automatically accepted by just about any modern browser. However, the reason it's automatically accepted is because VeriSign is suppose to verify the identity of the business. This is why they require a Duns and Bradstreet # (It's a business credit identifier). This way you know when you're going to https://secure.yourdomain.com to enter your credit card information, that you are indeed still on yourdomain.com and that your information is encrypted, and verified to be sent to the company you intend to send it to.
So if all you are concerned about is encryption, just generate your own. It will however throw a warning in just about any browser that the identity of the site can't be verified. Other than that, cost of this service isn't going to drop very dramatically without losing its verification services.
I understand though, that browser warning annoys me too.
..There's a-dooin's a-transpirin'
Never heard of 'em. Must be some fly-by-night operation. :-)
Try out FreeSSL.com - they used to give fully signed SSL certificates away that lasted for three months.. I read that they were planning to offer free 'year' certificates.
They also currently offer a ChainedSSL certificate at a cost of $25 per year...
"Hey! Unless this is a nude love-in, get the hell off my property!!"
Search for SSL right here on our very own slashdot and you will find many relevant discussions, such as:
Implementing an SSL-Based Network
Web security, Privacy and Commerce
Why Are SSL Certificates So Expensive?
It is likely your question has been answered before here or elsewhere.
If you had nuts on your chin, would they be chin nuts?
The established certification companies are already on this list. You are not. If you self-sign, you are basically counting on your potential customers to trust you as a certification authority. They can add you to that list individually. The question is, will they?
Since you are an unknown, small company, basically your customer has to trust that you have done everything right in order to protect their security. That's a lot to ask someone. Having a big player certify you tells your potential customer that even though you are a small unknown, you have done everything right.
It's just my personal opinion, but its one based on running an e-commerce site for the last four years. Go with an established certifier. If you are doing any sort of business at all online that requires SSL you will more than make up the annual fee in the sales you don't turn away because you were too cheap to get a real certificate.
No, Thursday's out. How about never - is never good for you?
Yes it is all his fault, if only the man behind the curtain would have just pulled some more levers all of the bad business models of the .com era would have magically worked. Oh and all those restated earnings would have never happened. For the southpark underpants gnomes were the genious behind all of those business models.
Phase 1 put op website
phase 2 ??????
phase 3 profit
sign it for you for, say, $99 (ac no. AIB ~ 039 749826746)
And sorry for my hand-writing...
Sincerely yours
AC
I think the whole CA-business is rather fishy. The only thing people are paying for is to have the pesky warnings that pop up if the certificate is not signed by a CA known by the browser removed. I have yet to see a single individual with even half a clue about cryptography state that he or she actually believes that the big certificate authorities actually provide any form of useful service.
I wish I had started a CA a decade ago and then jumped into bed with Netscape a few years later. This must be the single most profitable business online.
If you also have the need for about $250.00 of product including domain names, check out becoming a OpenSRS reseller. You can get GeoTrust Certificates from $99.00
No really I can spell, I am not a product of word no really okay maybe, oh what the hell Microsoft has destroyed my ability to function without a spellcheck
So, what is a signature and when is it needed?
What is 'self-signing'?
Tor
*MOD PARENT UP*
:)
Geotrust are probably the cheapest there are. Very no-hassle to aquire (all automated).
I got a good deal with geotrust ssl + rackshack.net (the ssl cert was free for me
Morphing Software
Has anybody used InstantSSL? They claim to work with IE 5+, NS 4+, AOL 5+ and Opera 5+, which they say is 99% of the browsers in use out there. Sounds like a good deal to me.
I'm looking at using the cert to do some credit card auth for a webhosting company, and I don't really think I'd have a problem turning away that 1% of people who can't upgrade to a browser that came several years ago. That whole 80/20 rule kicks in there. I'm sure somebody who can't be bothered to upgrade to a modern browser is going to be a tech support nightmare.
And put text in saying to click through the security warning. Most people will, anyway.
An excellent example of why "computer security" is an oxymoron.
Seriously though, this is of why many viruses spread -- people are gullible and lax on security. While I really understand that getting a proper certificate can be expensive, I'm not sure if I want to encourage this type of behavior.
Who said Freedom was Fair?
You're going at the problem wrong. Don't worry about getting your clients to accept a self-signed cert, worry about getting them to add your own root certificate to those they trust.
This is actually straightforward - you point them to a URL that returns the root cert, with MIME type application/x-x509-ca-cert, and tell them to accept it for all uses when the broswer pops up a dialog box.
You should then use this root cert to sign your web server certs (and certs for mail servers, databases, whatever). All should be trusted immediately, assuming you have your other ducks in a row. (E.g., you need to have your web server cert's common name resolve to the IP address of the web server.)
It's a bit more work to maintain a mini-CA than to just use self-signed certs, but overall the benefits outweigh the hassles. Many of us are working on JSP tools to operate mid-range CAs, but I don't know how far most are. (The problem is Microsoft's eternally changing standards on how clients generate the cert request on their side - I can handle Netscape/Mozilla with ease, but it seems like every version of MSIE is just slightly different.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I think a lot of people out there use some other browser than Mozilla, though, so you might want to see what certs that other browser supports.
314-15-9265
QuickSSL(TM)
Web Server Certificates
Exclusive QuickSSL features:
Only $119 for a one-year certificate
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
http://www.instantssl.com/ do certs for $49 they are quick at getting them out to you as well. We had ours delivered in less than 4 hours. verisign charge an extra $150 to have them to you with in 24 hours.
I highly recomend these people their support people are very good at their jobs and always phone you back with an answer to your questions.
Get the $49 version via Rackshack.net.
Have your company buy a key, then create signed keys for your domain private domain with it as the issuing key. Nobody will know, as most people still use IE, and it still has that fun bug.
The Right Reverend K. Reid Wightman,
Become your own cert auth, hehehehe Thawte did it, made billions, went to outer space, etc etc.
It's still just a monkey pressing a button on a machine. That should rightfully cost $400? Ooooooookaaaaaay.
a3c6 0e89 b1ec aa4d d630 26c8 d07e 7eed 8148 5503 02b4 dfaa 9922 b28d 0820 c4af
Even better, you can get a trial 30-day cert. They're fully functional and registered for your site, so you can test it out completely without getting any "SECURITY WARNING!!" notices from your browser.
Also check out www.whichssl.com It's run by Comodo, but it's surprisingly unbiased and shows you all the prices, browser compatibility issues, etc. of all the major CA's.
I am soooooooo glad I found them! Why pay $300-$500 for a 128-bit certificate when a $50 will work every bit as well? (The only reason I can think of is if you need support for MSIE 4.0 or something)
And appears to be a different company than Thawte. I wouldn't trust them (or nelsonal now that I've read his endorsement).
Thwate's site is a different design than Thawte's site but still uses the 'Thawte' name. This looks like a lawsuit waiting to happen.
i will sign a cert (shit, i'll sign as many as you want) for you for, hmm. what's fair? $20, a case of Natty Light, a Playboy, and an 8 iron.
thanks
vodka, straight up, thank you!
I think I should mention a new project that is in the works. The founder of OpenNIC, Robin Bandy, and I (Nathan Lunt) have been in discussions over the last couple of months to create a daughter project of the OpenNIC project for a democratically-controlled Certifying Authority modeled after OpenNIC. As such, we're looking at a situation where people will be able to get a certificate signed by a third party for, as it stands, free.
Such a project has enormous possiblities ranging from, as this thread discusses, cheap SSL ceritifcates for small websites, to potentially DRM applications as well, as mentioned in Robin's article here.
This project is only in the very infant stages, and has been off to a fairly slow start due to our busy schedules; however, once we are over the hump of policy creation and technical implementation, we should be well on our way to having a system of certification that is fair and within reach to every application imaginable.
.sig: file not found
Self signing my certificates works of course, but just about all browsers make a big fuss about it
This is a joke, right ? Self-signing the certificate defeats the purpose ! I will redirect DNS entry to point to my web site instead, and will use self-signed certificate. How would you know that this is not the genuine site ?
The right solution is to roll out your own Certificate Authority (CA) and make it trusted CA on all the client machines which will use the application. Then you can issue certificates signed by this CA.
CA links
CA links
314-15-9265
I know this was a troll/joke, but it really helped prove just how much crack the moderators have been smoking lately.
Tnx 4 dat!
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
DirectNic has pretty reasonable prices for SSL certs $118 per certificate per year...
Its easy to click-through with internet explorer. But what if you've got Netscape 6 or Mozilla?
Sure, its easy to use https mode, but what if you want to sign applets?
Its a REAL pain. You have to download a public key, open up a console, find your certificate store, and manually add it.
I made something that I wanted to do that with. What a pain!
Mod me down and I will become more powerful than you can possibly imagine!
Many of the fields in the X.509 certificate, like the expiry date, and the CA signer field, exist solely to create the business model. There's no technical or trust-based justification for it. Like many of the DRM initiatives right now, certificates are designed to support the business model, rather than being designed to solve the problem.
In the case of Verisign, this was their intent - RSA Data Security, Inc. used the RSA patent as a weapon in the 1990's to ensure that their way of using the algorithm became standardised, locking every other attempt at solving the trust problem (yet another reason to reform the patent system).
One of the founding principles of Internet design is that protocol and business model are two separate issues. We desperately need an alternative to certificates that can provide the necessary trust matrix without nailing all users to one way of providing the service. Unfortunately, it is probably too late to fix it now.
Two projects you may want to look into:
/
http://www.cacert.org/
http://www.freecert.org
-E
vpn + firewall = screw certs
if you're relying on SSL certs for "security" it sounds like your systems are open. veddy bad man!
# Erik
Comodo has a great deal. $49. their service is excellent and i have had no problems at all.
I would think the answer is as simple as checking the CA's in Mozilla.
It lists a whole truckload of CAs in the Authorities tab of the Certificates option of Privacy&Security.
I couldn't find rackshack listed in any of the "approved" signing sources for mozzila or netscape.
"Eve of Destruction", it's not just for old hippies anymore...
I just went to their Web site and if you click through you will find that they do actually sell Thawte certificates, you are sent to the Thawte site.
This is probably just an innocent thing where people were going to Thwate and trying to get certificates and someone decided to take advantage of the channel.
I will get onto legal tommorrow however just to make sure that nothing unfriendly gets said by mistake. There used to be a company in the UK with a vacum cleaner called VAX. They got a nastygram from a random DEC legal outfit every week.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
What we need is a very fast distributed monte carlo attack on one of the public keys that is everywhere. They keys are made by taking two large pseudoprimes so all we have to do is find one of the primes that a master key was signed with. Since the early certs were done using RSA's tool kit, all we have to have is millions of computers randomly selecting big primes the same way it would and checking to see if they match. This can be done thousands of times faster than key generation. While it is 1024 bit numbers, the estimated keystrength is no stronger than a hypothetical 70 bit DES and may be more in the order of 40 bit DES. There is a very small chance anyone would randomly hit the right key in the next year but there are enough machines sitting around doing nothing, that it could make an interesting distributed project and the magic bit stream may just show up.
... and can manage an installation of certificates on all clients, you can create your own certificate authority all by your self.
Here are some *SIMPLE* instructions for building a self-signed CA cert, and then signing SSL certs for servers. Any real implentation should probably be assessed for security (like ca-generation on an isolated machine, etc ...)
That's pretty much it. mix into your IT operations as nessecary
Why aren't you encrypting your e-mail?
Any serious cheaper competitors (Thawte) will likely be bought by Verisign to protect the "value" of certificates and prop up the company stock price.
Verisign bought Thawte, it was approved by US Governement is thawte kept prices at half that of Verisifgn.
Thawte certificates in small volumes are $350 for 2 years, after Verisign also increased prices. Other will sell you cheaper certificates the browser will believe in, but they have a screening procedure that keeps cost down, and don't have anybody trust your certificate apart from browsers.
Since when are Mozilla and Netscape MOST browsers?? Last time I checked I.E. was like 90%+ of the market.
Anyhow, there MUST be some kind of IE exploit to get around those anoying security dialogues... But then, that might require using ASP or VBscript... poop.
I am become Troll, destroyer of threads
Certs prove you are who you say you are, not that you are a reputable company. Otherwise, someone can spoof your IP address and or domain name, collect your clients secure information, and the whole process is encrypted using the attackers keys, not yours.
It is a boot strap problem. Since your clients connect to your over the web, there is no way to prove that you are really you. Instead, you say, my CA (e.g. Verisign) says I am me, and hand them something they can use to verify that info. The browser checks the cert that your site offers, and using the Verisign public key, can ensure that you are actully signed by verisign. The fact that Verisign's public key was shipped with the browser means that the trust chain goes like this:
Install disk (or Download from Mozilla site)->Verisign->You
You can become your own CA, but that borken link is still there.
Another option is to use something like PGP or hand delivered Certs, which would work for an internal website or a limited audience.
Adam
Open Source Identity Management: FreeIPA.org
Thawte was bought by Verisign a while ago
If you actually read some of the info at that link, you'd see they were supported by IE5+ and NS4.5+, thus covering a good 95%+ of currently used browsers.
Just get your users to install your cert into their browser - wont nag you after that.
It will be fine for your internal users (and transparent if you have a PKI infrastructure like Active Directory), but it depends on how many external users you have and how many hoops they are willing to jump through.
That 90% is a pretty low estimate, too. Most people would estimate IE5/6 usage alone above 90%.
The clients that are trusting the certificate as genuine is one issue, the other is that you're trusting the 3rd party issuer to not compromise their master or root keys...
Check the settings on your favorite browsers for a few ideas....
On Mozilla you can find the "Trusted-Root"'s at:
Edit -> Prefs -> Privacy & Sec -> Certificates -> Manage Certificates -> Authorities.
On IE it's:
Tools -> Internet Options -> Content -> Publishers -> Trusted Root Certificate Authorities.
--sg
Dupe posts are
Sorta like "I talked to some programmer guy named Knuth."
You could try OpenCA, the OpenSource Certification Authority Toolkit. I haven't tried it but I'm about to so I can create signed apps for my HA stuff. I don't want my wife to keep asking me if she should accept this or not.
--
Linux Home Automation
Neil Cherry
ncherry@comcast.net
http://mywebpages.comcast.net/ncherry/
Why Are SSL Certificates So Expensive? by Cliff with 192 comments on Sunday March 18, @04:48PM http://ask.slashdot.org/article.pl?sid=01/03/18/18 55230&mode=thread&tid=93
4 51218&mode=thread&tid=148
Are FreeSSL Certs Worthwhile? by Cliff with 8 comments on Friday September 07, @11:50AM http://ask.slashdot.org/article.pl?sid=01/09/06/0
Poor Cliff. Perhaps he will get an answer this time around.
"I'm not impatient. I just hate waiting." - My Dad
My old Thawte cert just expired today. http://www.intersun.com Am now using Self Signed with no real problems today, but previous research and where I am likely to go shows http://www.geotrust.com as the Thawte replacement. Their web-site claims they are the fastest growing and now have some 15% of the .com .net market.
400.00 to 300.00 for a cert is ludicruous. I will be monitoring the site for a month or so to see if there is any impact at all on customers. If today is any indicator, I have not seen it.
Interesting this topic came up on the very day my Thawte Cert expired.
Just as a comment here... There's a reason it's not unreasonable to pay for certification that's not being mentioned here. The whole idea behind using a cert is to establish assurance in the identity of the ssl server. This identity assurance is established by the server proving posession of a private key related to a public key which has been certified by a certification authority. The certification authority uses a process supposedly outlined in their Certification Practice Statement to establish the identity of the ssl server. The CA itself has a certificate, certifying the identity of the person who owns the public key related to the private key that digitally signed the ssl server's certificate... it's the CA's self signed certificate! (yes, I'm ignoring the fact that some certificate chains have intermediate CAs, but that's for the advanced example.) Self signed certs are "bearer instruments" in a sense. If an adversary could get their self signed cert into your copy of Netscape or IE, then presumably they could start issuing bogus certs to inappropriate parties, and the whole chain of trust thing would go up in flames. To avoid this problem manufacturers of browsers, acting on behalf of their users (the relying parties) take special precautions to use root certs that have been verified to have really come from root CA's.
What you're paying for are the business operation costs to maintain the certificate issuing system and the indemnification costs.
So... you're probably wondering why you should care about all this when you're dealing with in internal site. Well... to a certain degree, you don't have to. This sort of trust chain is more useful in an environment where the two parties taking part in the communication have never met, nor have any of their "superiors" met. In a corporate environment, hierarchical organizations are common, and if you're dealing with a relatively large organization (say >300 people) it might be worth your while to investigate the idea of an internal CA.
WRT browsers, many corporate IT departments will devise a custom install for machines under their administrative control (you know, like a stock build of Win2k that gets ghosted onto new machines.) If this is the case in your organization, then it is (or at least it was) a relatively simple operation to install a new default root certificate into IE or Netscape (though I must admit, I've only done this myself with NS 4.something.)
As for CA software, if the only thing you're looking to do is create an internal root certificate that can be used to create certificates for internal ssl sites, OpenSSL will do this fine. Keon, Entrust, etc., etc. are generally justified when you want to start issuing client certs and establishing directories of internal certs & crls and revoking things...
encryption in the browser is crap. any mim (man in the middle) can easily hijack your session with open source software like ettercap. just download it and try it! you don't really even have to be in the middle... you can be on a switched lan where your target is and still hijcak the session.. and see it in plain text.
don't trust ssl in internet explorer.
if you have to do somthing secure use ssh and tunnels.
-- sigs suck --
The whole idea that it can be done already puts the whole SSL scheme in danger. Who says someone hasn't already accomplished this?
The economy is in the toilet for several reasons. Consumer confidence is one factor that a good President can improve. Unfortunately, Bush is not such a President. He is an inarticulate dolt: "Fool me once, shame on ... [Dubya struggles to remember the next word] ... you. Fool ... [long pause while Dubya, clueless as to how to complete the cliche, stares helplessly] ... Fool ... well, you won't fool us again."
He's seen as being in bed with the worst offenders in the corporate scandals. Enron made its company jet readily available to the Bush-Cheney campaign during the 1999-2000 election cycle at a fraction of its real value. Federal Election Commission records show that Bush- Cheney paid Enron roughly $60,000 for use of Enron's jet during the campaign. Federal rules permit such use, as long as the campaigns reimburse the company for the cost of a first-class plane ticket -- quite a major bargain, considering corporate jets cost at least $1,000 per flight hour, not including other charges.
Then Cheney meets with oil big-wigs, including Enron, to help draft an "energy policy" that basically consists of turning over public land to private drilling so that the oil companies can sell the oil on the world market to the highest bidders. And now Bush-Cheney are doing everything in their power to hide who they met with. Really puts the whole inquiry about Clinton's blowjob into perspective, doesn't it?
While the dot-com fiasco certainly hurt the economy in the long-run, it does not explain the tanking of the stock market that has continued throughout his Presidency. Nor does it explain how he could take a budget surplus and turn it into deficit spending in record short time (hint: the check you probably got back from the IRS thanks to Bush's tax cut was funded with government bonds -- the Treasury had to borrow money to give you that check).
Bush used his Presidential powers to force fertility clinics to throw away embryonic stem cells rather than having them used for valuable medical research. He refused to give money to towards U.N. population control programs because they mention the "a" word (abortion). He is working hard to throw public money to religious organizations through his "faith-based initiative." But he has yet to give any of us a clue as to what he plans to do to revive the economy -- if he intends to do anything at all.
They're a Thwate affiliate taking advantage of misspellings... scummy, I'm surprised Thwate hasn't taken them down.
Seriously, why SHOULDN'T you do this? The only thing Verisign does is take exorbitant amounts of money to "prove" you are who you say you are. But if you don't trust someone at their word, you probably don't want to do business with them in the first place!
I'd suggest that doing this even for sites used by the general public is OK. Just put a quick explanation on the site. The exception might be if you're running a large operation collecting credit card numbers, in which case you can afford Veri$ign's price and don't want to lose a bit of business.
I suppose you could self-sign, but who really wants to deal with all those clueless Win* users who write email complaints first, think later? Not me...
Amazing how the recession started before he took office. And when did the seeds for that recession get sewn? Dot coms? Oh, that was Clinton. Take your bullshit elsewhere.
I use InstantSSL (Comodo) [flash alert]. Works great. A little Apache tweak, nothing on the client side, and haven't found an unsupported browser.
Best part: $49.
S
We just need the a trusted authority (for certain definitions of 'trusted' and for the definition of 'authority' that is ubiquitously recognized instead of decided by the highest bidders in the browser wars) to make digital assertions.
You'd start with certifying identities: my state might sign a certificate certifying my name, maybe driver's license number, perhaps address and even a photograph. I should now be able to sign e-mails with this now independently of my e-mail address. The resulting signed message could carry whatever signed assertions I wanted to put on it. (Probably my name and maybe my photograph.) I can't forge these, because these components are signed by the state in connection with my identity. A posting to a self-help group might just assert my identity in the form of a photograph and an unsigned nickname.
Taking this a step further, I should be able to use this ID to sign other things, even web sites. This will require changes to the way users perceive an "authenticated" web site. If I go to a bank at www.example.com today, they have a certificate that basically states "www.example.com is Example Bank, and their identity is certified". What my own signed web site might assert is "www.example.com is Joe User". User agents need to give more weight to the name here and less weight to the fact that the domain name matches what's in the certificate.
Extend this now to corporations. When a corporate charter is created, a digital ID for that corporation is created along with it and signed by the state of incorporation. That corporation can now sign assertions like "Joe User is the CEO of Example Corporation".
So now, when Joe User sends an e-mail, he can include this information:
- Joe User (signed by the state of residence)
- (Joe's picture, signed by the state)
- Job Title: CEO (signed by Example Corporation)
At this point, we really have a framework to allow the signing of most any type of assertion. If someone feels that we still need a signed DNS-based model, we'd do this within the DNS framework. I.e. registrars, when creating a domain, would also create a certificate for the domain name created and pass that on to the new owner, who can now sign for sub-domains as needed. When presented with www.sub.example.com, we have "www" signed by "sub" signed by "example" signed by one of the registrars for ".com".Some of these concepts will require a re-thinking of the way we approach authenticated online identities. We need to stop placing so much importance on online identifiers (like domain names and e-mail addresses) and start paying attention to who is making those assertions. I can sign an assertion stating that my e-mail address is 'joe@example.com', but unless that's really my e-mail address, it's not going to do anyone a whole lot of good. If I go around forging e-mails from joe@example.com and including that signed assertion, everyone should be able to take one look at that and say, "Who the hell is this guy claiming to be joe@example.com?". Only the guy with the certificate stating the assertion that he is "joe", signed by "example", signed by a valid registrar for ".com" would be able to say that with any authority.
A lot of this can be done today with signed/encrypted XML, provided we have a common framework to start sharing the assertions.
FreeSSL offers free SSL certificates. Sure, they don't work in old browsers, but they're free, and great for people strapped for cash (like me).
-Frums
You fucking moron.
While the dot-com fiasco certainly hurt the economy in the long-run, it does not explain the tanking of the stock market that has continued throughout his Presidency. Nor does it explain how he could take a budget surplus and turn it into deficit spending in record short time.
Explains it quite well actually. Dot-com fiasco = tanking stock market -> recession -> less tax revenue. Pretty simple. Nice of Bill to set us up with this situation too. Do you think that recessions reflect changes that happened to the economy yesterday? If a recession hits as soon as Bush gets into office (before, actually), before the tax cuts, it proves he didn't do it. He didn't have time.
Then Cheney meets with oil big-wigs, including Enron, to help draft an "energy policy" that basically consists of turning over public land to private drilling so that the oil companies can sell the oil on the world market to the highest bidders. And now Bush-Cheney are doing everything in their power to hide who they met with.
Remember that little China thing that the NYT was nice enough to sweep under the rug (card carrying dem's that they are)? Soliciting campaign contributions from Chinese? Then how our foreighn policy did a 180 and went pro-China, anti-Taiwan? Your arguments are non-unique. And what does this have to do with the economy?
Bush used his Presidential powers to force fertility clinics to throw away embryonic stem cells rather than having them used for valuable medical research. He refused to give money to towards U.N. population control programs because they mention the "a" word (abortion). He is working hard to throw public money to religious organizations through his "faith-based initiative."
Ah, now we get to your actual agenda.
But he has yet to give any of us a clue as to what he plans to do to revive the economy -- if he intends to do anything at all.
So what's your plan Greenspan?
It's even worse with java applets, for two reasons... One, I don't think you even get the "Jesus!! This software is unsigned!!" message. AFAIK, self-signed java applets simply don't run, or run with lowered privileges.
Secondly, while there are sites out there that let you "share" an SSL certificate with others cohosting on the same server, I don't know of anyone offering this service for signing java applets.
This is complete bullshit, and it really disturbs me that even the GPLed mozilla hasn't solved it.
My experience with instantssl.com (aka comodo.com) was very good for the one $49 cert I got from them. Plus, they were very responsive when I goofed my initial cert request (doh!) and had to re-request. I can't see Thawte/Verisign beeing nearly so responsive.
BTW, their sysops are all in UK, so they operate way ahead of our schedule, which can help/or hurt depending when you realized you've effed up.
Highly Recommended *****
-- Experience is a wonderful thing. It enables you to recognize a mistake when you make it again.
How is a pop-up a big fuss? Also most browsers allow you to permentantly accept the certificate as valid, don't they?
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
What about governments providing a non-profit cert service? Sure, there is the typical caveat of having to "trust" the government...but how much do you really "trust" Verisign anyway? Governments already certify physical documents...why not electronic ones? You could just get a cert from the government covering the region you operate in (ok, I know on the net this can be worldwide)...from city, to state, to regional, to national, or maybe even international. This might also have the effect of localizing the trust - perhaps as a consumer you don't trust a cert generated by some middle of nowhere town or province...
It's 10 PM. Do you know if you're un-American?
OK, here are the CAs trusted by Mozilla ABA.ECOM AddTrust AB American Express(No, not a typo) Baltimore CyberTrust BankEngine BelSign CertEngine Deutsche Telecom Digital Signature Trust Company E-Certify Entrust.net Equifax FortEngine GTE GlobalSign MailEngine Verisign/RSA(Yes, this is what it's called!) TC TrustCenter Thawte TraderEngine United States Postal Service VISA ValiCert VeriSign Xcert beTRUSTed So, here are your choices! Choose wisely:-)
And when did the seeds for that recession get sewn? Dot coms? Oh, that was Clinton.
So when did Clinton start a dot-com? According to economists, we did not enter a recession until Bush took office. The economy was in the toilet when Clinton took office -- thanks to Dubya's dad. When Clinton left office, the economy was far better and had grown more than at any time we can remember. We had a budget surplus that Dubya squandered on an ill-advised scheme to buy votes with tax dollars: "Vote for me and I'll have the Treasury send you a check for $300!"
It's Bush's economic stupidity that's keeping the economy depressed. If the economy is booming and taxes are exceeding spending, he wants to give a tax cut. Don't put the money aside. Don't pay down the staggering national debt. Give a tax cut. If the economy is faltering, taxes don't cover costs. His answer? A tax cut. Everything is a tax cut and he's borrowing money to pay for it.
I'm sick of the Republican bullshit of taking credit for the economy under Clinton and then blaming Clinton for the economy under Bush. Bush has been in office for two years. If he was Presidential material, the economy would have turned around. He's not and it hasn't.
Hope this is not too late. The practical use of certificates has nearly been destroyed by the CA's that get into the browsers as trusted roots. Here is a way to get things done cheaply.
1. buy a certificate from a recognized CA (Verisign, Thawte, Entrust, etc) for a web server.
2. create your own self-signed certificate in the context of a properly managed CA (you need to know what you are doing)
3. publish the CAs public certificate on a https web page on your server authenticated by the recognized CA
4. tell your users to pick up a copy at your trusted site and install it in their browser (or what ever other client they are using)
5. use your own CA to create subsequent certificates.
Remember that as a CA, you have parties that are relying on you. You need to handle revocation processing and certificate revocation. The good thing is that nearly everyone is producing PKI software these days. If you have a Win2K Serve instance, you have a reasonable PKI. Do things right and there is no reason why you cannot use certificates in a trusted manner.
http://certs.ipsca.com/ I've been using them for a secure site for a while, they even have a free 6 month cert. They work by default in 90% of browsers, no warnings. Basically you pay for what you get, the more you pay, the more browsers someones cert works in, because of root CA updates. But if you can just advise anyone using your site to update thier browser then its not a problem. With as many bugs in all browsers, your flirting with viruses if you don't update them.
The average user becoming used to ignoring security warning is a bad thing.
Part of the trust involved isn't just that I trust the name I see on the site, it's that I really am talking to to who I think I am. Remember, I can create a self signed certificate for www.abcd.com just as easy as the real owner of www.abcd.com. All I need to do then is hijack his DNS (or get my IP address with his name in your hosts file) and you're talking to me and think you're talking to him. And because we're both using self signed certificates we'd both look as real.
That's why the third party is important.
If you have an existing relationship with the people accessing the site (ie you have a channel whereby they can verify the cert once and don't become used to ignoring warnings) this isn't a problem.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
If a recession hits as soon as Bush gets into office (before, actually), before the tax cuts, it proves he didn't do it. He didn't have time.
According to most economists, we sunk into the recession after he took office and after his ill-advised tax cuts.
HOW FUCKING LONG DO WE GIVE BUSH BEFORE WE BLAME HIM FOR NOT LEADING?
And what does this have to do with the economy?
You really are a dumb fuck. Consumer confidence affects the economy. How much consumer confidence will there be when Bush-Cheney are holding secret meetings with the very companies that are in the middle of scandals? Consumer confidence is not affected by campaign contributions from foreign nationals.
Ah, now we get to your actual agenda.
Now we get to one aspect of my "agenda." But it seems to be Bush's only agenda. He ignores the economy in order to force his religious beliefs down our throats. He has no plan to get the economy rolling, but he has plenty of time to funnel borrowed money to religious groups.
So what's your plan Greenspan?
I see: A poor economy is the President's fault if the President is a Democrat, and it's Greenspan's fault if the President is a Republican. If the American people don't have confidence in the economy, no amount of tinkering with interest rates will fix that. We need a President who is a leader and we don't have one.
Bush has had two years to revive the economy and, at this rate, we'll be lucky if the U.S. doesn't look like the set of the movie Mad Max in two more.
Poor Cliff.
Actually, the "by" immediately after the title of a story refers to the editor who posted the story, not to the user who submitted it. Cliff handles Ask Slashdot.
Will I retire or break 10K?
Its soooo quick (10 minutes) and soooo easy, and it only costs $120 (last I checked). Doesent even need a DUNS number!!! I love it! No more Verisign for me...
(no i dont work for them -- haha)
http://home.himolde.no/~kd/prosjekt/ca/ca.html
This is something that really chaps my ass. It is *easy* to start your own Certificate Authority (CA). The problem is getting your CA recognized in the web browers of the world. In a nutshell you need to pay many fat bribes, on the order of several hundred thousand dollars, to Microsloth, AOL, etc.,etc...to get your CA listed in the browsers. Big companies, like Sun for instance, can afford to do this.
It would be great if some respected non-profit organization like the Free Software Foundation had enough pull to start a free Certificate Authority that could get listed in the browsers.
I'm sure Verisign and the other blood suckers at large would hate, despise, and bring on the legal nazi's against this. Hence it isn't likely to happen anytime soon. To bad since this is a major roadblock to the common use of encryption on the net.
Alas....
Azurite is fine covellite is mine.
1) Almost every known root CA targets businesses as their primary customers. The prevailing mentality seems to be that if you want to secure your HTTP server's connections to members of the general public, you must be running some sort of business. Their cost per certificate is nothing; you are paying them not for the certificate itself, but for a certification of your trustworthiness as a business.
But what if I'm offering a free service, which nonetheless requires that my users have absolute trust in their browsing security? What if I'm running a nonprofit organization? If the CAs were truly interested in security, they would offer a low-cost alternative for people who are offering free services, and perhaps a free certificate for non-profit organizations.
You may point out that I can now get a cheap certificate for $50. While this is true, the low price of certificates these days is the result of market pressure. These guys aren't lowering their prices out of the goodness of their hearts, or to help Joe Q. Webmaster who wants a secure website. They're doing it only in response to competition.
2) 'Wildcard' certificates cost an absurd amount of money, usually $500 or more.
Excuse me? The entire premise of the certification, is that Thawte (or VeriSign, or whoever) is certifying my trustworthiness as an organization. As such, it shouldn't matter whether I have one, ten or a hundred DNS names associated with my website and with my organization. By forcing you to buy separate certificates for your web server's DNS name, your mail server's DNS name, your LDAP server's DNS name and others, they are extracting even more money from your wallet. Even if all my services are hosted on the same machine, I must pay hundreds of dollars extra for the privilege of giving them separate aliases. The only other alternative is to host all of my services on one machine, under one DNS name. Thank you so much, VeriSign, for sticking your nose into my system administration.
And, finally,
3) VeriSign, the biggest fish in the pond, has demonstrated on more than one occasion that it is in fact not trustworthy.
Remember the incident involving a falsely-issued code signing certificate for Microsoft? That's right! This supposed paragon of trustworthiness gave some unknown cracker free reign to masquerade as the largest software company in the world. If they're that damned vulnerable to simple social engineering...then why did I pay them $200 or more, again? What exactly were they certifying?
From the start, the entire digital certificate business has been about politics and moneymaking, nothing more. It's a pity that we're forced to live with it.
> How can they be reasonably certain the remote server is
> actually who it says it is if the cert is self signed?
They can't. And they may never be able to. Browsers are always putting up bogus marginal security warnings; people have learned to click OK and get on with it.
Security people are really bad at user interface.
Almost any solution will be in the form of "do this and that mumbo jumbo with your browser, go here, do that, trust me". Any imposter site can do the same. The computer is a big ocean of inscrutible complexity. What's a human to do?
I'm not trying to be a troll here; I'm just trying to point out some of the problems. Most people do not understand the Certificate Authority panel, or any other security panel, in their browser, well enough to be able to tell if they're doing the right thing.
Hmmm... this browser I'm on doesn't even have one. OK, internet exploiter - that has one. 85 certificate authorities in the list, as shipped, and it's a security breach if ONE of those CA certs is bogus.
OK, quiz question, here's some of the certs that came built in with Internet Exploder:
SecureNet CA Root au
EUnet Internatioinal Root CA EUnet International
RSA CyberTrust Root RSA Corporation US
Netlock Uzleti (Class B) Tanusitvanykiado Tanusitvanykiadok NetLock
Which one of these did I make up? And, more importantly, how did you decide that it was bogus?
Marketing-driven companies end up over-marketing their products. Engineering-driven companies end up over-engineering
While I must say in my own defense that I was not initially trolling just couldn't resist a little southpark humor. I however find it funny that economy that is 8 trillion dollars in yearly business can be sidetrack by one man, well at least that is what you stated. Ladies and gentlemen the script has flipped, nothing is the way it used to be, economies around the world are hurting. The japanese have had a decade long recession and still there is no light at the end of the tunnel. Corporations kept shoddy books, people defrauded the public. They will pay until thge American people get bored with it on the nightly news. Maybe some good will come out of this, cleaner books, more transparency. To end,before you try and judge a man who is directly responsible for the wellfare of 280 million people, think about that. We are all on this rock together just a littler understanding would be good
Maybe it is as much of a scam as we think - otherwise, why did Verisign issue "two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation"? (CERT Advisory CA-2001-04)
Entrust tried and failed to sell PKI to any one. Until 2000 PKI was Entrust's primary (only) focus. Unfortunately PKI is a solution looking for a problem. There are other problems as well. (Link curtosey of the July 15 2002 Cryptogram)
It is too bad really. Where PKI works, it works well. MS's Passport and Sun's thing are really PKIs waiting to happen.
try ccc.de---they offer free certs
This is the first post with a real answer to the question. Just becasue it ws posted by an AC does not mean it is a troll or offtopic. This post would alreay be at +5 if the user had logged in. Please give credit where credit is due.
kwenlk welknwe nflkewn nflkwnlcnxmdnxz asdewef cascvd
simply code up an activeX control that appends the following to the client's c:/windows/system32/drivers/etc/hosts file:
ca.verisign.com <your.openssl.server>
There aint no pancake so thin it doesn't have two sides.
If you're trying to create a secure service that works on OpenWave WAP phones, most of the gateways only have a limited selection of allowed root CAs, and don't provide any way for a phone user to accept other certificates. This makes a certain degree of sense, since the limited screen size of a WAP phone would make it prohibitive to inspect a certificate. But the upshot is that you can't use an SSL service from a phone using a self-signed cert.
--
Do I look like I speak for my employer?
Er, um, you can. It's trivial to be a certificate authority. You simply need to read a couple of HOWTOs and understand how X.509 certificates work. At MIT for example, we are our own CA. The MIT CA signs all other certifiates, such as certificates for machines that offer secure services, or client certificates for users to authenticate themselves for confidential services. Sure, your browser will claim that it won't recognize the certificate authority. But go ahead and download the root certificate, and tell Netscape you want to accept that certificate authority to certify "Internet sites", and you're all set. You only have to do that _once_. Ever. Just make sure that all your server certificates are signed by the certificate authority.
At MIT we get around the "accepting the certificate authority" problem by re-distributing Netscape with our CA alrady in the database. If your organization isn't big enough for this, then just hand the customers printed instructions on how to do it. Tell them by doing this, you're saving them money, with less costs to pass on.
Commercial Certificate Authorities mean jack shit. All they "certify" is "Joe Schmoe paid me $400, so I will now say that he is who he claims to be." Big fscking deal. Who exactly are they to claim that, anyway? Do they have access to Joe's birth certificate? His passport? His social security record? I had to provide more documentation to get a Massachusetts Drivers License than I did to get a certificate from Verisign. Once the general public realizes this, Verisign will need to find a new source of revenue. I envision a future when certificate authorities can be obtained for a nominal processing free ($30) provided the requestor provides proof of identity (or corporate identity).
There is no sig, there is only Zuul.
Our users are easily alarmed, so we need to use a certificate from CA that is fully trusted by all of the common browsers. This pretty much limits you to Verisign/Thawte. If you expect that most users will have mostly upgraded to more modern browsers, then your available choices increase dramatically.
I am currently considering InstantSSL... so far it's taken two days, and no signed certificate, but the price (free trial, $49/year) is right.
I do not deploy Linux. Ever.
It might be worth it to use a CA that is established, and looks to be around for a while. (I know, nothing's forever - especially on the 'net...) What I mean is, some CAs are running on VC $$$, and wouldn't it suck if you had to go out and get a new cert when their $$$ dries up and they go outta business. When a CA ceases to exist, there is no real way for your customers to verify the validity of your certificate, as the trusted 3rd party vouching for your company's identity will no longer be in business. This can be extremely important.
Yes, and this is just a preview of the next economic layer that is going to be laid on top of the Internet with the arrival of Palladium. What do you suppose you will have to do to get your content enabled so everybody's PC will be allowed to open it? It's not just a scam, it's maybe the ultimate scam. Inflict the publishing industry's business model on the Internet by taking control of all the hardware connected to it.
These bastards are pure evil.
They've also done some innovative technology, but their basic raison d'etre was to sell certs for a low price, since the cost was also low.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
For internal use only, there is no reason you can't be your own CA, as long as you prepare a standard client load for all of your internal users. SSL is no less secure, all the cert is used for is negotiating a session key anyway.
If you're going to enroll for more than 30 or so SSL certificates a year, you have a couple of alternatives to keep costs down. You can run a RA, which means you register the certs and a trusted CA signs them (VeriSign operates under this model), or you can get a subordinate CA that is signed by a trusted CA (RSA bought Xcert so they could offer this service).
The first company to offer a tool to let you manage your own CA was Netscape, which became iPlanet, and was bought by Sun. Their documentation is great, read this explanation of the benefits of a Self-Signed Root Versus Subordinate CA.
RSA writes very good docs too, but they're new to the CA business, and I believe the way their KCA product is positioned and pricing model will change. They are mostly interested in customers who use a lot of certs, for now.
Furthermore, if you set up your CA correctly, you can install your root certificate in every browser in your organization so they never get that "untrusted CA" message. For internet explorer, it is easy, just copy the p7b file to the desktop of the machine it will be installed on and right-click it and choose install. With mozilla, it is a little more difficuclt since they do not allow you to directly import new roots, but if you include the root as part of a p12 file, it will be imported with the regular certificates, you just need to edit the trust afterwards.
They're popular in europe, too. I see they're partnering with Sun, but it doesn't look like they're offering an RA or subordinate CA, unfortunately.
This whole thread begs the question, how does one become a Certificate Authority. Someone started it and others are available if you look at the CA's in your browser prefs. Couldn't a company be their own CA then?
-- DuckWing
I recently had the same question you do, namely I've got a small site doing a limited amount of business but I still need to accept credit cards and use SSL. Verisign? No way in hell. It'd take me two months to make their fee back in profits. No thank you.
After searching around a bit I found a site called InstantSSL run by an outfit called Comodo. They offer a 1 year 128-bit cert for $49, and you can even try it out for 30 days free of charge. I did, and it works well enough that I haven't had any complaints.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
There is another drawback to becoming your own CA that is much more serious, though. I, as a web user, have no real problem accepting a self-signed certificate for an individual website or two. I'm very very hesitant, though, to accept Joe Schmoe as a CA, as this means I have given him the ability to, for instance, authorize whatever certificate he wants as a valid certificate for my bank's website. This is not cool with me. When I'm sending sensitive data over SSL to my bank (and others), I need to know (as much as possible) that the party on the other end of the transaction is who they say they are. My browser (Mozilla) doesn't offer any way to limit the scope of a CA's power at finer granularity beyond "this certificate can identify web sites."
You have discovered a possible market for a low-priced product. Perhaps you could start your own certificate-signing company that charges, say, 10 cents a day ($36.50 a year) or 5 cents a day if you prepay for five years ($91.31) That's a pretty reasonable price.
When you make a bold claim like that, you should provide a link. I didn't believe you until I looked it up myself.
This page, right? ... It is NOT encrypted! (at least not when you browse to it from here. Opera bug, or wacked design? You decide.)
You want interest supporters to send their CC and personal contact info over the net in plaintext? I sure as hell wouldn't sign up as a member online...
Yet again, the assumption that the world stops at the USA's borders.
Do try to remember that some of us don't answer to Uncle Sam.
Usability and security are at least superficially at odds here. Usability dictates that the user should be allowed to do whatever is desired, while security would rather break out the straitjacket. Perhaps a better compromise would be an obscure little option buried in the browser's advanced preferences that, in its default state, would simply not allow the user to click past a security warning. This little problem has more people than just you and I quaking in their collective boots.
Knee-jerk reaction: "SecureNet who?" Second look: "Wait a minute, CyberTrust isn't by RSA."
In any case, GTE CyberTrust is in the default roots, which would have me looking twice if it popped up in a security warning. I remember seeing the remaining two last time I skimmed the CA list.
Disclaimer: I get paid to understand the issues around public-key cryptography and its associated infrastructure, so maybe I should be disqualified from your quiz. :-)
In any case, I'd much sooner trust a self-signed certificate or obviously private CA hierarchy for minor snoop repellent (such as keeping nosy folks away from my 'blog passwords) than one made up to look official but didn't pass muster. Besides, with a self-signed cert, you can always stash a copy of it and have your browser scream if it changes, much like with SSH.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
Almost instant (like 10 minute) issuance.
Trusted by 99% or so of in-use browsers (IE>=5.0, Netscape>=4.x, AOL>=5, Opera>=5).
Works great. Highly recommended.
It's also nice to be able to set up multiple hosts or hostnames with certificates. It's truly a one-stop shop.
Of course, the security of the situation is similar to SSH - the first time you connect to an SSH server (or in this case, when the users click on the link to load the CA certificate), they don't have any guarantee that they're not being misled by a monkey-in-the-middle. That, for the most part, is the only thing the $x00 / year and/or the scary browser warnings really buy you.
My site doesn't do any e-commerce, but I do have some users who use Squirrelmail over HTTPS with such a setup. I've gotten no complaints from them about having to add the CA cert. And when I go visit someone else's house, it's sort of second nature for me to add the CA cert to their browser so that when I visit in the future I won't have to do it again.
You might need a certificate signed by a well known CA for your connections from the internet, but for all your backend server you can create your own CA. This will enable you to use a full strenght 1024/128 bit sll for nothing. There is a project called tinyca which enables you to create and signed certificates with your inhouse CA. So you create a CA for your company and add the CA to all your backend server. Once this is done, any certificate signed by your CA will be valid and fully secured.
I have tested it for Apache and Weblogic and Websphere and they work very well.
The idea is that this is the thing the users are going to have to all import into their browsers. You don't want to make them do it more than once. But the whole reason keys expire is that with concerted effort over time they can be factored. So you need to make the key length proportional to the expiration period in at least an attempt to insure that the key will remain secure over its lifespan.
The server cert should have a much smaller key, say a kilobit, because it's used a lot more than the CA cert (validating a server cert will be "hard" because its signed by a 16 kilobit key, but once it's done, the certificate is known-good as long as it remains valid), but because of that it should expire anually. But since you have a long-lived CA cert key, the users won't have to do anything when you do replace the server cert.
Of course, all of this is tempered by how paranoid you need (or want) to be.
Well, I'm not going to state the obvious and say that mod points don't always go the right way. Well directly at least...
In any case you shouldn't have looked for rackshack. They resell Geotrust certs.
Hmmm... Pie...
Remember, I can create a self signed certificate for www.abcd.com just as easy as the real owner of www.abcd.com.
Right. And you can get a real CA signed certificate from many CAs for abcd.com, too, with about (or as little) deception as hijacking DNS if you're willing to do a little Jim Rockford-style deception.
I think the point is that it's trust -- just because a third party is *appearing* to vouch for the authenticity of abcd.com doesn't mean something creepy hasn't happened -- but you have to *trust* that everything's OK. It's like seeing the BBB sticker in a window. Doesn't mean they're not going to rip you off...
trusted root cert? M$ and all the cert providers are in bed with each other.
ps: don't start on the open source options. M$ is the big dog and nobody really gives a shit about open source or other browser providers as a result.
Ok so how dose a noob go about creating their own cert? I have tried once before but i never got it to work, it seems as there is no good set of instructions to create your own cert and put it into apache on the home web server.
1) Almost every known root CA targets businesses as their primary customers.
So? People who run businesses are entitled to target any subset of potential customers they choose. Usually this means the people most willing to spend money will get the most attention. Nothing obligates a company to be generous toward those providing free services. I agree that this is an unfortunate situation, but it's not the fault of the certificate vendors.
The internet community should establish a trustworthy non-profit body to administer certificates that charges just enough to cover administrative costs. Until that happens we're stuck with a choice between self-signed certificates, self-certified certificates, or profit-oriented services.
2) 'Wildcard' certificates cost an absurd amount of money, usually $500 or more. Excuse me? The entire premise of the certification, is that Thawte (or VeriSign, or whoever) is certifying my trustworthiness as an organization.
Excuse me, but that is completely wrong. An end-entity certificate certifies that you are who you say you are, not that you are trustworthy.
Clearly a wildcard certificate is no more expensive to produce than a more specific one, but the fact remains that this is a market economy and there are reasonable alternatives. There is nothing fraudulent happening here.
3) VeriSign, the biggest fish in the pond, has demonstrated on more than one occasion that it is in fact not trustworthy.
True indeed, but again not a scam. Software is complex and security even more so. Being trustworthy is difficult, and while I see nothing praiseworthy about VeriSign, they should not be vilified for trying and failing. (There are plenty of unrelated things for which they truly deserve blame, but that's another story.)
From the start, the entire digital certificate business has been about politics and moneymaking, nothing more.
Hello? Politics and moneymaking are a legitimate part of society. We get nowhere by turning up our nose at these things. Accept them and get busy making things better.
Not all those who wander are lost.
use java and the associated security.cert package to write your own CA.
Rackshack was selling Geotrust certs for $29. Had this story been posted a day or two earlier you could have gotten in on it :). They seem to be selling them now for $49, which is still *much* better than you'll find from say Thawte/Verisign. They've worked in every browser I tried, though I believe I just saw someone say they don't work in Opera. Oh well, small price to pay to save $120+ on a cert.
Game... blouses.
I do now notice that Thawte seems to have become a Verisign company. Also GTE Cybertrusts page http://www.cybertrust.gte.com/ seems too barebones for a commercial entity. Seems like verisign is the only choice remaining when it comes to full compatiblity?
Of those to whom much is given, much is required.
It occurs to me that it might work to set up a combination "better business bureau" and "SSL" certification on the web.
Keep everything automated -- however, you get a score for unanswered complaints, answered complaints that are not accepted by the complainent, and such. Score drops too low, you lose your cert.
By doing that, you would actually provide the service of an alternative means of security.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Xela Limited
[Ranting, flame if you want... Corrections and thoughts would be most appreciated ;)]
:p
I know you're paying to prove you say who you are, but what's the big deal here anyways? To me, certs are more about encryption than a form of digital ID.
The 'Certificate Authority' is just another scam to monopolize, to a certain extent, encrypted digital transfer of data. If my cert is OpenSSL with myself as the signing authority, the cert is no less or more secure than an 'official' certificate. And even if the site/program is signed by authority, that does not mean you are not being cheated in some way by the issuer.
Blablah, I call for a grass-roots movement demanding the power to self-sign code and sites etc... Who's with me??!?
-- iie1195
I would be very hesitant to add you, someone I do not know or have a particular reason to trust, as a CA. I wouldn't mind accepting your self-signed certificate to do an SSL transaction with your site, but adding you as a CA is a much bigger security risk. If I do that, you can then sign certificates for any site, including sensitive sites like my bank's. Then you, as a potentially malicious CA, can trick me into accepting false certificates identifying my bank's site.
Thus if you don't want to use a certificate signed by the major CAs, then please just self-sign. I have no problem accepting self-signed certificates, but adding random sites you don't know as CAs is a huge security risk that no one should do (so it'd be nice if you didn't require people to do it in order to visit your site).
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
for me anywayz
Thawte does offer a free certificate, which can be used to sign your applets. There is a guide on how to sign your code with that certificate. The only thing you need after signing up with them is to get notarized. This will most likely cost you a little money. It cost me around 12$ (yes, twelve dollars!) to become fully trusted and now my Web Start application is signed and trusted to the same degree as all the other expensive ones, for the full price of US$ 12!
Why is it claiming it's a US address, when it's a British city in a British county with a British postcode?
OpenSSL has everything you need to run your own CA. If you need some more docs than those that come with OpenSSL, there are loads out there, including these written by me. I run a CA using OpenSSL, and it's great. Does everything I need. All the internal machines trust the CA, and those external people who need to have also set up their browsers to trust it, so all is fine.
This post will enter the public domain 70 years after my death, unless Disney buys another extension.
And Verisign WAS RSA - spun off a couple years ago.
As of Aug 02 - Thawte no longer sell wildcard certs... we use them extensively to secure muliple *.our.domain.com site in our web application. (we Need around 10 seperate secure web sites so the $500+ price tag is worth it)
What is Bizzare is that Thawte tell us to go to Verisign.. I have now called, emailed, posted requests to Verisign and can get NO resposnse.. being in Australia doesnt help. (what with timezones and the like)
Does anyone know where we can get wildcard certs now ??
I am just setting a site up now that will sell 128bit SSL certificates, compatable with 99% of browsers (same level as Verisign and Thawte), and they will sell for $49.99 per year (or less for multiple years in advance).
;o)
www.rocksolidssl.com will launch in about 2 weeks!
There will be a 10% discount for the first week to get things rolling, but just for slashdot readers, I will offer 15% if you put the word "slashdot" in the discount field on the payment form, in the first week.
Can't say fairer than that
Have fun,
Jamie Burns.
This is even more funny than you think: what do you sign your activex applet with? YES a verisign key that says that you are really farnsworth.
What the hell was insightfull about this post? Looked more like an excersize in foul adjective thowing to me!
-- Many men would appreciate a woman's mind more if they could fondle it
My company has a web presence such we feel that it is in our best interest to use a big gun, such as Verisign, to issue certs even though we know we are getting the shaft. Regardless of whether or not Verisign is doing their job or not asside, Microsoft and Netscape browsers trust them blindly and most of the Internet community doesn't know any better.
... it's in there.)
Besides, the biggest issue I have is not the $800/year we spend for the 128-bit certificate, but the fact I have to buy one for each server, even if they use the same name (read the license agreement
Since customers are required to sign up for our service, why can't we buy one Verisign certificate just for the sign-up server, then require customers to install a new root cert for our company to use our service. In fact, we could make that part of the install process with a 'click here and select OK' message. Most users would blindly click it an go on. Then we could create as many of our own certs for the rest of our servers as we wanted with no cost, and maybe evern 5 or 10 year expirations so we don't have to replace the blasted things every year.
Any thoughts?? I'm sure our marketing department could put together a wonderful page explaining how Verisign trusts us, blah blah blah.
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
You could run a proxy that only accepts connections to trusted hosts (your internet appliances). That proxy could itself access the trusted host through SSL, but ignore the warning. The proxy itself would have a valid ssl certificate.
So you'd access URLs like:
http://mysecurehost/mytoaster
http://mysecurehost/mymicrowave
http://mysecurehost/mypenguinnightlight
---
I support spreading santorum
The MIT approach is a real pain in the ass for anyone who actually needs to use the secured services on a platform that's not supported... and the list of supported browsers is pretty thin. At one point I had to boot OS9 on my powerbook just to run a very old netscape just to get to data secured by such a certificate... and now I keep a copy of Netscape on my Powerbook ONLY to use in this situation... it's very annoying. You've cheated Verisign of $400, and inconvenienced thousands of people.
You can generate certs with many different software packages. JDK would be a popular one. This does not tell your clients that the information they are receiving is in fact from your webserver. So its kind of useless.
On point number 1, you are absolutely, positively, 100% incorrect. The purpose of a certificate is not to establish that a SSL server operator is a "trustworthy business," it is to assert that a server operator has agreed to a set of behviors that will protect their private key, to provide an indemnification structure, and (optionally) verify that some trusted third party thinks you have a real address that can be served with legal papers should you not properly protect your private key.
To establish that a business is "trustworthy" is an entirely different proposition usually involving accountants, business consultants, and statisticians to evaluate the survey results from their customers. If someone is trying to tell you that a business will adhere to any agreement made with you simply because they are in posession of a valid SSL cert, they are blowing smoke up your kilt.
Also, I'm surprised that you would say that there is no cost associated with issuing a certificate. I'm sure that you administer multiple redundant secure Unix systems for fun, but most people actually have to get paid to do this work.
That should actually read "bulk of the workforce in Canada", sorry 'bout that.
Not really. OpenSSL lacks a robust OCSP server (the built-in one can only serve one connection at a time!) and relational database integration tools.
(I'm posting anonymously 'cuz in my other life I'm moderating...)
Seems that a lot of people here don't quite get the point of a CA. They are essentially a Notary Public of the Internet. Their job is to vet you and make sure that you are who you say you are. I propose that perhaps (and I'll don asbestos undies now), your state DMV (Deparment of Motor Vehicles) or your state's Revenue Department become Certificate Authorities. Considering that they have the information that makes sure you're you in meatspace i.e. driver's license or state ID, and that they have all info that Verisign would look up, I feel that a state should have its Root CA included in browsers.
Also, since you're already applying for ID cards, the state should be able to certify your digital signature, just as the do on you driver's license or ID card. I mean, if we're on our way to a police state anyway (thanks, Asscroft), let's use the transition to come into the 21st century...
- chris
Fuck karma. I'm tired of crap question with OBVIOUS answers on /.
Go to google.com. Type in: free ssl certificate
It is trivial to find free certs good for 6 months, or $50 certs good for a year.
"Population 1,656"
Is it now? Gosh, let's see. We support Mozilla 1.x. We support Netscape 4.x. We support Netscape 6.2.x. We support IE 5.5 and above. It evens supports a version of Lynx. What more do you want? The AOL browser?
There is no sig, there is only Zuul.
List this one.
Notepad specialist & FAT administrator, group training available
Has anyone noticed that all of these stocks trade below $5 a share? In the past, a lack of financial wherewithal has caused many companies to engage in *ahem* less than ethical manners */ahem*. Given that what these guys are selling is trust and given that currently thay have much less to lose by being untrustworthy than they had a few short months ago, why should I trust them any more than Joe Bob's Muffler and Certs Shop?
That is all.
Now, the next step. (a little off-topic but it will be taken someday, mayber sooner that later.) Are you really the guy who owns the device or account that is being used? Devices such as fingerprint and/or retinal scanning or just a card-swiper can (supposedly) add another layer of security. How does one "certify" locally or remotely that someone else is who that someone says he/she is? Remote retension of data by the gov't? Maybe, maybe not. Voice recognition? Then, there is the little problem of securing the stuff that secures the stuff that... (umm...gotta go)
(whatever)
Very affordable. There base certificate is $50 and there Pro version which includes $2500 warrranty is only $70.
I had the same dilema. I found a site called instantssl.com, you can get a certificate for as low as $49! Check it out.
See my reply to someone else's reply, for a clarification of my point #1. I misspoke, but if you look at the remark in the context of the paragraph, you'll see that I'm talking about identity, and not trustworthiness.
Of course, there is an indirect cost associated with issuing a certificate. There's recurring overhead, the cost of the hardware on which the certificate servers reside, legal costs, etc. But the certificate itself is just a handy mathematical abstraction, and I'm damned sure that the cost to VeriSign per certificate they issue is a damned sight less than $400. If it isn't, that's their problem and they need to seriously reconsider their business practices.
This is one of the weak points of public-key encryption; for it to be effective, you need some way to verify that the person whose public key you're using to encrypt data is really the person who you want to send the data to. With SSH this is typically done by keeping a list of fingerprints of the public keys of known hosts; the first time you connect to a host you're prompted with a warning that it's an unknown host, and asked if you want to add it to your known hosts list. This is a point of failure -- if the first time it turns out to actually be an imposter, you'll have added the imposter's fingerprint.
The SSL key-signing mechanism is intended to avoid this problem by having a company like Verisign that is supposed to be trustworthy. Thus you only need to get Verisign's key in a trusted manner (usually by being distributed with a browser), and then you can verify that all the other keys you get aren't fakes by checking to see if they've been properly signed by Verisign. The only points of failure here are: 1) the possibility of getting a fake Verisign key; and 2) the possibility of Verisign messing up and certifying a fake key. Generally 1) is not a significant problem; 2) may be. Since browsers generally treat all CAs the same, the strength against weakness 2) is only as good as the reliability of the least-reliable of the CAs. This is another reason why adding an unknown CA is a bad idea -- it basically makes the signing system completely useless. If you're going to do that, you might as well just tweak your browser's options to stop warning about unsigned keys altogether, since keys being signed by untrusted random parties isn't any better than them not being signed at all.
It's a fairly difficult problem to solve successfully. With PGP email one method being explored is a "web of trust," where you sign the keys of people you can vouch for (i.e. you known them personally so you can verify that they are who they say they are). This is difficult to scale though, since it only takes a handful of otherwise-trustworthy people to irresponsibly sign keys without properly verifying their authenticity to make the whole system useless (similar to the way it only takes one bad CA to make the system useless, only here the number of points of failure is much higher).
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Verisign only attempts to do one of them -- verify that the site is who they say they are. Thus when you see "certificate from Amazon.com, signed by Verisign," if Verisign has done their job properly you can indeed be sure that this is Amazon.com's genuine certificate and not a forged one created by a malicious third party intercepting your communications (perhaps at the router level).
Now you're entirely correct that even if that's done, there's the additional question of "okay, so this really is Amazon.com; but is Amazon.com trustworthy?" I don't think the CA system is intended to answer that question; it's merely intended to let you know for certain that your communications aren't being intercepted. Furthermore, I don't think it would need to. The encryption system only needs to verify the authenticity of the other party; to determine the trusthworthiness of the other party, things liek resellerratings.com (expanded perhaps to other issues such as privacy and security) can suffice, since the ratings/review system doesn't need to be built into the encryption infrastructure.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
As such, it shouldn't matter whether I have one, ten or a hundred DNS names associated with my website and with my organization. By forcing you to buy separate certificates for your web server's DNS name, your mail server's DNS name, your LDAP server's DNS name and others, they are extracting even more money from your wallet.
.com zone would have to protect their keys equally well. If one got compromised without them knowing, any .com certificate would be suspect (subject to revocation at a later date, obviously). In addition, if my subdomain.example.com key was compromised and a www.subdomain.example.com host was hijacked, an SSL user-agent would treat it as authenticated. Fortunately the damage would be limited to that subdomain.
SSL certificates are solely intended to certify the authenticity of a DNS hostname. I also think it's a sham to be selling these for every single hostname. If I as an organization have administrative control over example.com, all I should have to do is buy a certificate that establishes my control over example.com. I should be able to take that certificate and sign sub-domains and hostnames under example.com and distribute those keys throughout my organization however I want to. Validation of those certificates would only extend to the domain name signed by the next certificate up the chain, so I can't just sign www.microsoft.com using my example.com certificate, but it leaves complete control over establishing the authenticity of hosts and sub-domains under my domain to me, which is where it should be.
If it were up to me, SSL certificates would be issued for every domain registration directly from the registrars. Browsers wouldn't trust arbitrary certificate authorities, they'd trust the certificate created for the root DNS zone, which would then be used to sign registrar certificates for the zones they control, and delegation (in DNS and certificates) would proceed from there.
The sole advantage to the system as I see it today is that there's fewer points of vulnerability. The big certificate signing authorities can afford to spend a ton of money securing their keys. But once you start delegating outward, every registrar responsible for the
I found this thread while looking into SSL for a small business e-commerce site I am designing.
All I want to do is encript the credit card number the client is entering.
On one hand, I dont really care if they trust the website as a business, cause they wouldnt enter their CC# if they didnt, all I want to do is encript their CC# for transmission over the internet.
On the other hand, I dont want stupid warning poping up on clients machine, that is just unacceptable.
I think its a total scam that you should have to either 1)pay or 2)be harassed just because you want to encript something.
Just my $.02
Well, that e-mail appears to have worked :-D
Now there's a direct link (not an affiliate one) and no page. Hee hee hee...
Does anyone have an example of a reasonable-sized organization using OpenSSL (perhaps supplemented with extra tools beyond the pathetic perl scripts) to self-sign? Seems like you could do all your intranet stuff that way.
Sorry, I didn't mean to point anyone in the wrong direction, I forgot the exact name and mistyped it in my browser, and it looked correct. I should have checked better. My apoligies to all.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.