Slashdot Mirror
Self-Regulating SSL Certificate Authority?
bcg asks: "It has come that time again to renew some of my SSL certificates and part with substantial amounts of cash. This has got me thinking - why should we pay large amounts of cash for authorized certs when so little is done by the companies issuing them? Sure they get you to send them a copy of a business certificate but how does this prove the character of those running the SSL server? What ideas can we come up with for a self-regulating certification authority? Could we set something up along the lines of the many free DNS servers around but use it to authenticate SSL certs?"
We last touched on this subject in October, when someone was searching for cheap
SSL certs. We've also discussed why certs are so expensive. Why not take it one step further and discuss ways of making and authenticating our own certs for free...or as close to free as possible?
A certificate lets the client know that the server belongs to an organisation and that that organisation was verified by somebody else.
In a network like the Internet there's no God in a security sense - so we choose to trust people who Verisign trust (and issue certificates to).
It's a pain in the ass to get the certs issued because you have to get you organisations legal certificates and get authorisation from a senior staff member - but thats a Good Thing because they make sure that you are who you say you are (and are authorised to get a certificate on behalf of your organsation, yadda yadda).
If you have a private network, or have an existing relationship with the end users, who cares? Go to wwww.openssl.org download the toolkit and play around with the certs! You'll get a secure channel and not have to pay loads to establish something you already know.
Julian.
Just create your own CA certificate and then write an html page for Netscape and another one for IE so that it loads your CA certificate into the browser's certificate database.
Then use your CA certificate to issue as many certificates as you like. As long as the DN matches the hostname or IP of your HTTPS server, your users' browser will play along happily.
http://sourceforge.net/projects/xca/ http://sourceforge.net/projects/php-ca/ http://sourceforge.net/projects/stealthisca/ http://sourceforge.net/projects/mkcert/ Alas - most of these are in alpha....
It's Christmas everyday with BitTorrent.
Comodo issues relatively inexpensive certs that are accepted by most consumer, and even most non-consumer browsers.
FreeSSL also offers inexpensive (though it doesn't quite seem to be free) certs.
They seem to work with Lynx, Mozilla-based browsers, IE... Well. Look at the compatibility list. =]
If you want to be compatible with EVERYONE, you'll have to spend a bit more, but these are good for the majority of e-commerce sites, and intranets/basic sites.
-Sara
You can get free ones from cacert.org.
I use them to SSL enable my website at glasgownet.com and any other stuff I need certs for.
Well worth it.
I have heard this so many times, and it represents a big misunderstanding.
SSL (the idea, not just the certificate) provides assurance of the identity of whom you are doing business with (among other things). If you want to buy something from www.amazon.com, SSL verifies that it is really www.amazon.com that you are dealing with and not someone else.
If www.evilcriminal.com buys an SSL certificate, and you do business with www.evilcriminal.com, why is it the fault of SSL that you chose poorly? This is similar to expecting PGP to verify who your friends are. It is not fault of SSL, nor is it a valid reason as to why SSL certificates should be free, if you choose to do business with an untrustworthy company.
Now, to truly have an open CA (there is a group trying - http://www.openca.org/) for signing SSL certificates would require a few things:
1. The CA would need to enforce the same level of identity verification that professional CAs do.
2. The CA would need to convince major browsers that it is credible enough to have its root certificate trusted by default. This usually requires an extensive (and very expensive) Certification and Accreditation (C&A) process to make sure the CA is up to par. The ones I have been involved with usually require an amazing amount of documentation demonstrating superb security, expert personnel, and reliable systems.
3. The CA would need funding for the resources (both human and otherwise) required to maintain it.
However, it still seems like an open CA like this would be possible. First, a highly-respected group of people from the community would need to head it up. They would need to be just as diligent and professional as the existing CAs. Then, though I doubt they would have the funding to undergo a C&A (much less pass one), perhaps Mozilla could add their root certificate to its trusted certificate store. Everyone else (users of IE, etc.) could manually trust this root certificate. Instructions could be provided on the CA's Web site for doing this.
Sure, many people would still receive warnings, but there are a lot of us who would be willing to do business with a site that is protected with an SSL certificate issued by this open CA. Some sites (www.thinkgeek.com) have an open source savvy target audience, so these types of sites would benefit the most.
FreeSSL offers free certificates. They confirm by email and an automated phone call. You'll be certified in 10 minutes or less. I found them after reading this article and looking around a bit. Absolutely no problem getting it working. Wish I had know about this sooner.
Yes, they also have non-free certs, but for the life of me I can't figure out the difference. My only question is how they make any money offering free certs and making automated long distance confirmation calls.
Gotta say, it's pretty cool when you press # on your telephone and the web page updates to show you've been confirmed.
Now if only I could figure out a way to get SSL working better with name-based virtual hosting.
- Some browsers do not allow you to click 'yes' at all. Think older IE browsers which simply gave you the "something is wrong" page. It may be a completely valid cert in Mozilla, but with this browser you can't view the page no matter how much you want to.
- If you do get the ssl warning and the option to say "yes", how do you know you're not the victim of a man-in-the-middle attack?
Unless you actually control both endpoints (say you are setting up SSL using Stunnel on machines you run) then self-signed certs are not perfectly secure. Or, if you do verify everything as you should, you have introduced a huge hassle in performing secure SSL.For example the latest version of Blazer for my palm has no such feature, so I'm screwed.
In order to click "yes" you should verify that the SHA1 and MD5 fingerprints are correct. Do you carry a copy of these around in your wallet so you can use that web page when you're on the road? I didn't think so.
I only wish I had one.
I use so many SSL certs that I became a reseller for InstantSSL. It basically costs $200 and you get the ability to generate all the certificates you want without first providing business licenses. It also costs about $8 less, too. There's also zero turn around time...I get the completed cert immediately. It's *extremely* convenient but it kind of defeats the concept of a trusted source.
My first thought as to what you are buying is that Verisign has dealt with microsoft and netscape to make sure their root certificate is in the browser so you don't have to worry about users getting a popup.
What I would like to see (and never will because of profit) is for me to buy a SSL cert, have Verisign or whoever REALLY verify I am who I say I am. Then from my cert be able to generate as many as I need, and so on.
That way, say school.edu could buy a cert, then generate certs for www.school.edu, pop3s.school.edu, otherwww.school.edu, or even generate one for department.school.edu who could then generate one for www.department.school.edu
After all, aren't they supposed to be about a chain of verification up to the root cert?