Slashdot Mirror
Free SSL Certificate Project
An anonymous reader writes "Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself? Linuxlookup.com is running a small article on free SSL certificates."
Sweet! I've never liked the idea of forking over money so that your site is deemed secure.
I thought the whole point of SSL is that not just anyone could get a cert...
TODO: Something witty here...
Just explain to your customers why you cert isnt registered.
I've always used cacert.org for free SSL certificate s. :)
This space is not for rent.
Secure certs are one of the biggest ripoffs known to man. The sad fact is that they really only prove that money was able to change hands. This is way, way overdue.
Dog is my co-pilot.
Are steak-knives included in the article? Here's a tip for the AC. Don't make your post sound like a cheap advert. This is a news aggregator (well, it claims to be anyway). Articles should have summaries in a manner that most respected news-sources use. Not like some used car salesman. And if this is off-topic. Sorry, but I'm discussing all that I can, the article summary. The site's down so I can't read the article itself.
And not just a self-signed one, ev1servers sells a type for $10 that'll work in most browsers.
Anyone CAN get one! All you have to do is pay X amount of money.
Besides, do you really trust people such as Verisign to actively control certs?
It has always seemed strange to me that encryption via SSL and verification of your business identity were rolled into the same system.
I've had a few situations where I wanted to encrypt html and had no need of guaranteeing my server's identity to anyone. It seems like I should be able to encrypt traffic without having to jump through hoops and spend a lot of cash. Or without having a second class certificate.
I hope this new project succeeds.
Like being able to self-issue a certif is new? Used some random tool that came with MS Office to do it last time I had a use for one, of course that was Office 2K or thereabouts but it's probably still there, and there are probably alot of other ways to self-issue one. The entire point of the big expensive ones is that you have a "trusted" authority validating the transaction.
SimulatedLucidity.com has been working on something similar to this for a while...
Get OpenSSL and roll your own, any time, any platform... always been that way... and this is news? Some script-kiddy-turned-public-relations-director figured this out? Good for j00. As for everyone else, nothing to see here that we don't already know.
Since the linked article is dying, who knows if you'll be able to even get the link to the real article. So here's your text, AC to keep the whoring in Vegas.
StartCom Free SSL Certificate Project
StartCom Free SSL Certificate Project The Idea:
Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself?
StartCom Ltd., the vendor and distributor of StartCom Linux Operating Systems, operates also MediaHost(TM), a hosting company specialized in DB and Java web application hosting and offers its clients SSL secured web sites with certificates signed by StartCom Ltd already for years. Here is, where the idea for this project originated: Free SSL certificates!
How?
Most web servers, such as Apache, IIS and others are capable of running the 128-bit secured and encrypted SSL protocol. All you need, in most cases, is a SSL certificate to make it work. StartCom is going to provide you with this certificate through a simple web based interface wizard and sign up process free of charge. Together with the installation instructions, you'll have your secured web site running within a few minutes.
Why?
Because we believe, that companies like Verisign, Thawte and others, just rip you off your money! Simply as that! Even the so called "Free SSL certificates" offered by some companies aren't free, but can cost you up to a US $ 100 or even more.
More than that, lets think about, what SSL is supposed to do: Encrypt and secure the traffic between a browser and the server! Point! It is not supposed to give you the impression, that a website is trustworthy or even say anything about its identity...for this you should use your brain and common sence.* Anybody can get a SSL certificate and as such does not give any type of warranty about the intensions, or quality of products, of the website or its owners! We'll prove here, that SSL certificates can cost much less or may be even free of charge! If enough people are using our certificates and stop buying them, well, than the existence of these companies will vanish and we'll all win another piece of freedom!
* We'll offer in the future, some sort of verified SSL certificates, but on this later...
Where, when?
Convinced? We build and tested this web site during February 2005, so you'll be able to get a SSL certificate for free. Use the links below to get your free certificate now! Please spread the word about this project to your friends (by having a link to our web site?). Contact us, if you want to contribute. And....spend your money on better things! There are enough good causes to support!
Common sense says, make sure the StartCom CA Certificate is not on any of my machines!
The entire point of using certificates is so that you know that there is a certified binding between a public key and an identity. If you don't know who will recieve your encrypted information then there's no point encrypting it in the first place!
$50 per year per certificate. I've had no problems getting them to work with all browsers. Since I can't read the article, are they giving out real authority certs? Ones that your browser won't pop up the window saying it's untrusted?
./sign.sh server.csr
If not, here is a recipe for free signed certificates:
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
I don't work for them, but I am a customer. ev1servers.net has 128-bit QuickSSL certs for $49. Hardly "hundreds" of dollars.
you can do it yourself if you want, but the user will be prompted with a scary dialog because your self-signed cert doesnt come built into the browser
for encryption this doesnt matter but on an ecommerce site transparent http>https is essential, if a user becomes accustomed to warning dialogs they will learn to ignore them (witness activeX spyware installs)
so signing certs is easy, signing non-prompting certs is why people pay the money
In fact, even mod_ssl has information on how to do so on the site:
http://www.modssl.org/docs/2.6/ssl_faq.html#ToC27
- - - - - Fear not the reaper, but my shiny white teeth.
your website is slashdotted?
/. till you are *really* ready for the action!
Want to run a website with secure connections? Or, want to run a website at all? Then don't publicise it on
enjoy StartCom
It's nice to be able to get free stuff online. I've been known to grab my share of free movies and music from time to time myself, but when it comes to things that are so critical to the security of my servers, I'm a little more careful.
That is not to say that the particular people in the article are crooked -- I'm sure they're on the level. I'm just saying that as this kind of thing becomes popular, you can be sure some computer hackers out there will try to co-opt the good name of services like these so they can give out compromised certificates and steal information from you and your customers.
The bottom line is: When it's free, you just never know. A thousand eyes only get you so far. This is why I tend to stick to software backed by a solid corporate history on my own production servers. It's just not worth the risk to skimp on costs when the fact is your entire business is on the line there.
You just have to know who you're dealing with when you get into this kind of thing. Are you dealing with someone honest or are you dealing with some sort of shady basement operation that moved to Canada to avoid cryptography laws? When mission critical information is at stake, this stuff counts.
A Proud Member of the Reality Oriented Community.
Put an Open in front of your SSL problem
Voila
Technology Consulting & Free Downloads
When you finally get to the site that is offering the certs (http://cert.startcom.org/) all you find is bad grammar and certs that aren't recognized by any browser (i.e. warnings pop up). It's admirable that the site wants to issue free certificates, but you won't find many surfers willing to trust them. Also, you can create your own certs with minimal effort, and you'll end up with the same thing.
Personally I think the government would be well suited to do this sort of thing. Maybe provide them when you get a drivers license or a business license. Its not like it takes massive amounts of money to see if you really are who you say you are. And why the expiration dates(well, of course, they're another way to screw people out of $$, but what's the certificate providers excuse/reason for them?)
Every time you post an article on Slashdot, I kill a server. Think of the servers!
In practice the ID checks that I've seen done are fairly flimsy. And with "hundreds" of dollars being charged by big name certifying authorites there is strong motivation for them to just give you the cert (and take your money) once you've faxed them a couple of vaguely official looking signed bits of paper.
Anyone paying "hundreds" of bucks for a certificate is being scammed though. Much cheaper ones are available from people like GoDaddy. I can't see why anyone wouldn't just go for the $29 one, your users won't notice any difference between them unless they are particularly inquisitive and enjoy poking around obscure browser dialogues.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I ask myself: "How did I get here?" And then I ask myself: "Where is that beautiful house? Where is that beautiful wife?"
sulli
RTFJ.
You do not *have* to buy or obtain a certificate from anyone else in order to set up an SSL website. You can be your own certification authority. I think this can be done with OpenSSL. If memory serves me, This may mean users will get more warning messages when they visit your site, however.
IIRC, the certificates point to certificate issuing authority whose keys you have configured in your browser. Most browser have keys preinstalled so most people aren't aware of it. You're only supposed to use certificate authorities you trust. If you use roll your own keys everyone will get those popup security warnings from their browser and you will annoy everyone.
I would not give those sco lovin hussies a penny of my money..
Got Code?
If you will read what you pay for you will find that the company issuing certificate insures your transactions. So if you have someone break the ssl encryption you will get payed. It was just a simplification.
The only person who is capable of killing my karma, is me, do not even try to help me.
https://www.cacert.org/
which makes it about as valuable/useful as the price they charge ($0)
people/biz pay the money so their customers are NOT prompted, i can sign my own certs (in about 5 lines of bash) if i dont care about the user getting dialogs
hmm, it seems maybe they should have written about MySQL Connections... ;)
Here's what I do: Bitty Browser & Andromeda
The point is that someone gives you a very large prime number, and they stand behind the claim that it's not some string of digits they pulled out of their ass.
If VeriSign certs are breakable, you have some sort of guarantee/insurance (or at least you should, which is a different issue), but who cares if the guy who gave you a "certificate" turns out to have been an asshat?
WARNING: DO NOT LET DR. MARIO TOUCH YOUR GENITALS. HE IS NOT A REAL DOCTOR.
Having an internet presence is critical to running a successful business venture. Also, the creation of a truly international digital economy necessitates the development of a trusted method of identity establishment. Especially in these days of questionable computer security and the impossibility of ascertaining identity from IP. Reliable certification is vital to the development of the internet economy.
However, the centralization of certification among a few organizations and their cost is shutting out smaller enterprises that don't have access to the fees or technology required. In effect, this institutes a kind of "information segregation" or isolationism that has the effect of a barrier to poorer nations - such as Nigeria or Rwanda - to the internet commerce that is so critical to the economy of the future.
As such, I believe the best scenario is free certification provided by ICANN that can certify pages from poorer nations, so they can compete on an even playing field with the wealthier nations. Giving out free certifications - one per IP address at least - is the best way to accomplish this, and will allow for confident and secure transmission of funds and information.
cacert.org is doing everything these guys are, and then some. cacert.org is free, but with a much higher level of personal confidence than Verisign, Thawt, or any others that I know of.
Additionally, with cacert.org, you are able to get more than just server certs and keys.
"Individuals are smart, people are stupid" -- Tommy Lee Jones as "K" from Men In Black
SSL server certificates usually only need to assure of one thing: that the owner of the certificate is the same as the person in control of the domain. Everything else really is for the purpose of justifying the salaries of people who work with Certificate Authorities, really
I think this is a nice effort but will be pretty useless. We need a known and trustable organization doing this, or a coordinated effort between many organizations. To be a success we need the certificate of the "Certification Authority" installed by default in all browsers. Without that certificate installed, we will cryptic messages appearing in all our users screens .... and we dont want that. Once a trustable CA is established, Organizations and Companies as Mozilla, Opera or Apple may be ready to install the certificate of this new organization on their browsers . And a the result would be finally a useful CA.
"We all know Linux is great...it does infinite loops in 5 seconds." -- Linus
Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate?
WTF is "SSL aware"?
I have had no problem creating and using self signed certs with SSL.
--fatboy
Think about this for a minute... The purpose of SSL is not to secure data during transport, it is to secure data during transport AND to verify to the sender that the reciever is who they claim to be.
Without identity verification there is NO POINT in encryption for most usages.
The point is to make the person who is submitting their credit card number resonably secure in the knowledge that they are sending it to who they think they are. This cannot happen without identity verification.
- sigs are stupid
Warning: Too many connections in /var/www/pnadodb/drivers/adodb-mysql.inc.php on line 108
Warning: MySQL Connection Failed: Too many connections in /var/www/pnadodb/drivers/adodb-mysql.inc.php on line 108
mysql://LinuxLookup:@localhost/Rogue failed to connectToo many connections
LOL, classic
the only permanence in existence, is the impermanence of existence.
I'm using it as (loosly) 'reboot'
So thats rougly:
Windows in 6 Bytes (IA-32): Do nothing then reboot.
Windows in 6 Bytes (IA-32) : 90 90 90 90 CD 19
Any host worth their salt lets their users take advantage of their cert for free included in the host cost..if you run your own web server then yeah, you SHOULD pay..they do.
Here's google's cache of the front page that we beautifully slashdotted. Also, on a related note, many companies offer free SSL certificates if you do a little business with them. Ever-popular GoDaddy recently joined the ranks of those companies. They started offering free SSL certs to open-source projects.
Does anyone even know what a man in the middle attack is anymore? Without certificates (or with easy to aquire certificates) we don't have a way to ensure that someone isn't spying on the encrypted traffic. This service will allow me to register a certificate that looks "just like" the one you expect to get from www.usemycreditcard.com and intercept your confidential details by presenting a key signed with that certificate to your browser. This is already happening with Verisign certificates, a case of them not doing their job, and now StartCom want to make it easier? I guess it doesn't really matter as the vast majority of people are too damn stupid to examine a certificate to ensure it is correct anyways.
How we know is more important than what we know.
Ahhh yes, not the preferred method of rebooting =D
For what, you might ask yourself?
A large part of a certificate is having your identity verified with the issuing organization, not just the technical ability to communicate via SSL.
I've also seen a lots of posts from people saying that you can generate a self-signed cert for free. The problem with these self-signed certs is that you get a pop-up from your browser warning you that the cert isn't trusted.
It appears to me that cert.startcom.org is trying to do something different: They are handing out certs with them as the root authority and giving information about how to install their cert as acceptable by your browser. If enough people do this, then major browsers will "have" to start including startcom.org's certs in their distributions. Until that happens, you still get a reduced number of cert pop-ups because many different websites will be using the same "non standard" cert authority.
You will get all the cheapness of self-signed certs with all the security of a cert from verislime or thawte. After all, the only real security with regular certs is that the traffic between your broswer and the website is encryptied.
SPF support for most open source mail servers can be found at libspf2.
For a (partial) list of the design and implementation problems that interfere with certificates actually solving the problem, check out Peter Gutman's scathing critique of X.509-based PKI.
But of course, before any website is published, it should be able to cope with the /. effect. How sane! Try to understand that certain links put out on slashdot was not planned by the website owners.
Anyone can make a certificate, hell you can make one yourself. The whole point of a issuing certificates is about delegating trust. Verisign, Thawte, etc are trusted. Some company that gives it out for free without any sort of checking is not.
did you forget to take your meds?
http://www.msexchange.org/tutorials/SSL_Enabling_O WA_2003.html
You can easily create a certificate yourself with other OS and programs too, as others have noted.
Warning: Too many connections in /var/www/pnadodb/drivers/adodb-mysql.inc.php on line 108
Really great article...
Go Daddy.com recently annouced they were offering free SSL certificates for Open Source Projects:
Go Daddy.com
I have been using self-signed SSL certificates for twelve years and I have yet to see any significant (i.e. higher than 0.01%) number of people who reject them when warned by their browsers. So I just stopped paying for them and saved a fortune. And they really costed a fortune back then, now they cost pennies in comparison but even less people bother verifying them today, so it is in fact even more pointless to pay for them (rejected percentage to price ratio is even lower). Let's face it, the whole idea of selling integers was a scam from the beginning. Do we have to pay for our SSH keys? Or GPG keys? Of course not! But HTTPS is an "e-commerce" protocol so it is somehow justified to pay for the privilege of using certain integers. This is just a legacy of dot-com era when everything "e-lectronic" was worth millions and everyone was happy to pay for it because it was a sure way to earn millions. Now it is just silly.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
You post your public key in your DNS record. DNS already maintains an identity system.
The trick with DK is to get the browser's to fetch the site's public key from the DNS record (it has to do the DNS query anyway) and use that in the handshaking.
Yes, there is the potential for someone to hijack the site, but that is getting more difficult. And, DK would be a free add-on to the DNS stuff you have to do anyway.
The guys who have "Root CA" as the organization name in their cert? They can't even get their own danmn name right; no way in hell am I letting them vouch for mine!
keep the whoring in Vegas.
man I just got back from my first trip to vegas. I asked tons of people where to find good strippers but nobody on the main strip knew anything. so WHERE ARE THE STRIPPERS in vegas?? i thought the whores were all over the place. what a ripoff
SSL is totally overhyped. What would be much more important is a general encryption mechanism for websites. Since HTTP is not a natively encrypted protocol at the moment increased security and anonymity can only be achieved using software like Tor: http://tor.eff.org
Usually SSL websites are used with people who have continuing relationships, such as businesses, confidential email, and so on. They are used less frequently with one-time visitors. That said, it still leaves a large hole for new visitors to fall into.
Reminds me of one time back in HS. We didn't like our CS teacher and for our final project in C every student put a call to INT 19 at the end of their code, so when she was through running and grading our program it'd reset her computer. I don't think she ever figured it out.
------
"And may your days be long upon the earth."
I just got a browser-accepted 1 year cert for $9.95. It was a deal through my server host (The Planet), it's $49 retail. This is still peanuts compared to the $349 my employer insists on paying for certs from Verisign.
It's worth staying away from people who put asterisks by their own spelling mistakes!
Author, Shell Scripting : Expert Re
...If you are doing it for an OpenSource project:o pensource. asp
https://www.godaddy.com/gdshop/ssl/ssl_
Not to mention, it's the cheapest SSL cert I know of at $30/year.
Yes, I am a smart ass; it's better than the alternative.
Warning: Too many connections in /var/www/pnadodb/drivers/adodb-mysql.inc.php on line 108
Once again someone decides to use mysql_pconnect without really understanding what it does. That function should have red flashing warning light all over it in the PHP docs.
:wq
I'm more than happy to pay a few hundred dollars to protect hundreds of thousands going through my web site. When you're protecting a large sum of money, it's probably not the best idea to base a decision simply on what is cheapest. A few hundred to protect hundreds of thousands is worth it in my book.
Comment removed based on user account deletion
if you speak german, there is an interesting article about the consequences of giving a certificate without authenticating the requesting person: http://www.heise.de/newsticker/meldung/56750/
basically they say - since "starcom.org" gives ssl certs even for 3rd party websites - any user installing their CA certificate is vulnerable to man-in-the-middle attacks. this could be interesting for pishing websites; with this kind of certificates they would look even more authentic to the victims.
therefore - if you don't want to spend the money for a versign/thawte/...cert,- i see no point in _not_ using a (openssl) self signed cert
Many fine, relevant comments have already been made in this thread. But I didn't see anyone point out the downside of free SSL certificates: free phishing sites!
Yes, it's possible to freely self-sign certificates to get encryption. I run my own certificate authority for encrypting traffic among my clients, if they aren't conducting e-commerce. These self-signed certificates work fine without triggering a browser warning--if you import the certificate authority certificate.
For my public/e-commerce sites, I use FreeSSL, at $35/year. This buys me a blessing from a CA that is pre-installed in over 95% of all browsers in use. What's not covered? Konqueror. Curl. I think Safari, though I haven't checked recently. For my clients who want those to work, I suggest spending the ~$120 or so for a Geotrust cert.
Now, imagine if every spammer in the world could get an SSL certificate for free... Already domains are cheap enough that they can set them up to easily spoof real web sites--banks, etc. Imagine if every one of those had an SSL certificate, and didn't trigger a browser warning? Most people I know look for the lock. If the lock is there, they trust the site. They don't actually look at the certificate, or even the URL much.
For this reason alone, I'm glad certs aren't free. You can do encryption for free, but I'd prefer my browser to at least let me know the site I'm visiting is too cheap to buy a real cert. (that's not meant as a slam, since I'm too cheap to buy one for most of my sites...).
Cheers,
Freelock Computing
Open Source Solutions for Small Business Problems
Freelock Computing
You can create your own SSL Certificate, however whoever visits your server must chose to accept it. Just because it isn't "Certified" doesn't mean that your site is insecure.
CA Cert has been doing this for a while now as mentioned in this slashdot article.
The GoDaddy certs are compatible with pretty much every browser in use today....
Internet Explorer 5.01 and higher
AOL 5 and higher
Netscape 4.7 and higher
Opera 7.5 and higher.
Safari on Mac OS X 10.3.4 or higher
Mozilla (all versions)
Firefox (all versions)
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Anyone, who can't figure out that "asm("int 19");" doesn't belong at the end main(...), shouldn't be teaching CS. lol.
Makecert.exe comes with VS.NET Pro and a standalone is also available from Microsoft's site or in the older Authenticode for Internet Explorer 5.0 & Authenticode for DEC Alpha - Internet Explorer 5.0
More information about the app is here and here.
The whole (except for the last sentence) blurb from this story was taken word for word from StartCom...
Are people really so childish to believe that there is no relationship between big software manufacturers, and the big profit-producing cert authorities? Try to use even a mid-tier (I am not even getting to the free ones) authority, like Thawte, and let me know if you will ever get the Jinitiator client in Oracle 9i working, without manually redistibuting a new cert file to all clients ... what you end up doing is paying Verisign a few more thousands, for all the servers, to avoid paying the admins tens of thousands, to customize clients, distributions and updates ...
== With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
Well if you're going to bash them at least explain why they shouldn't be using pconnect!
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
I wish SSL would be broken into two seperate entities... Encryption and Verification.
I would absolutely love to have every single domain's web and email encrypted with SSL but I don't because of the cost involved. (Even at cheap rates it adds up with enough quantity.)
The advantage being that passwords wouldn't be sent across the internet or the lan on either side in plain text.
I would just self-sign everything but I haven't figured out how to permanently keep IE and OE from popping up warnings every single time.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Yep, cacert.org is probably the best there is, for ssl certs. Not only do they check two ids, but even if you can fake a driver's license and passport, you'd have to slip your forged credentials by multiple people in order to get enough points. It's hard to imagine that some nameless drone who handles a hundred certs a day at a faceless corporation, would be as careful as people who meet you face-to-face and whose personal reputations are on the line.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I told ya there is nothing called free lunch. They wanted to offer free SSL certificates, now they are having 'Too many SQL connections'. May be they should reconsider their decision and make it paid after all to buy more bandwidth.
went down like a kamikaze.
AFAIK, prostitution is illegal in Vegas. Have to hit the burbs.
We issue SSL Certificates with prices a good deal less than hundreds upon hundreds of dollars. Our certificates are issued with a root that already exists in browsers, and we do ID verification (but remain flexible - we will issue certificates to both corporations and natural persons, i.e. people). In terms of keeping the encryption meaningful, using a self-signed certificate doesn't cut it - it makes it trivial for the right person to perform a man-in-the-middle attack.
As much as I'd love to say otherwise, the SSL business is actually quite competitive these days -- the days of a 128-bit certificate costing at least $895 are long gone.
SSL Certificate
Let's suppose you take your PC to a coffee shop and want to read your stock-r-us.com stock portfolio...
...even though there are already PLENTY of free certificate providers out there today, stocks-r-us has to pay big big bucks to one of a few certificate agencies- There's absolutely, positively, no way around this currently, for complex reasons that are hard to explain briefly, but I'll give it a shot...
...or not: This works fine if YOU know how to recognize the stocks-r-us secret handshake, but, for technical reasons, this is only possible if your computer and stocks-r-us have chatted in the past (i.e. you've used your computer before to sheck your stocks) if not, there's no way you can get the jimmy on how to tell a genuine stocks-r-us secret handshake.
...or not: The user of their has to already know the handshake of the CA for this to work ahead of time, or the proverbial "house of cards" will just fall apart anyway... How can they be sure you already have the "secret hanshake" of this third person/CA?
First of all, there are two things, at the minimum, you need to talk to stocks-r-us over the internet securely from a coffee shop:
1. An encrypted communication channel (this is handled by public key and symmetric key encryption protocols)
2. A guarantee that the person you are talking to over the 'net really is stocks-r-us and not an impostor.
All this fancy talk in this slashdot story involves this second step in this process... so how can you get this no-impostor guarantee? Well, the most basic way would be to ask stocks-r-us a secret question only they could answer, sort of like a "secret handshake". An SSL certificate is simply a "secret handshake". (well, not so simply, but just accept this idea for now...) So in order to make sure the company you're talking to over the 'net is your stocks-r-us, you check to see if they know the stocks-r-us secret handshake. Problem solved...
This is where a certificate authority comes in: You can get a third person (whose handshake you do know) to give you stocks-r-us' secret handshake. There are many many organizations that offer free (or not free) services to act as this third person (i.e. as a "CA") So stocks-r-us can just sign up with one of these companies to give them the secret handshake info- Problem solved...
Well, the answer is pretty goofy... the "handshake" of the CA has to be "hardwired" into every copy of Firefox/Internetexplorer/Safari/etc when it is installed. If you go to the settings of your browser, you'll see a list of CAs already placed in by Microsoft/Apple/Mozilla/etc right out of the box! That's the only way this could work...
...so you might be wondering: Don't the CA companies in this initial list of built-in handshakes have some kind of monopoly/oligopoly? The answer, of course, is YES: These special CAs charge monopoly-style prices for their services for this very reason. The point of this slashdot article is that an non-profit group wants to somehow make Microsoft/Apple/Mozilla/etc to put it in this super-duper "handshake" list, but it promises it won't charge everyone big bucks who wants to use them as their third party.
(I'm no expert on this, so any experts are welcome to reply to my post to make any corrections if there are any errors of substance...)
Speaking on behalf of a company forced to purchase a certificate from a recognized issuing authority, I can say that the main issue involved was the need to have the certificate automatically trusted w/o needing to install additional trusted roots. Sure, in a windows domain we can deploy our own root to our clients, but we were looking at problems outside our organization.
1) Exchange RPC over HTTPS - outlook 2003 does have this support, but it won't work if it does not trust the certificate of the server. And if you don't have admin rights, you can't add that trust. Specifically, RPC over HTTP was designed for use outside of the organization, so it does make things harder if you need admin access over a box in a partners organization (it's either that or use OWA, which we all hate in general).
2) Mobile devices and Handhelds. Windows isn't the only system that comes preconfigured with certain trusted root authorities. Mobile devices are a pain in that some of them can't even be configured with additional trusted roots.
3) We experience a significant slowdown when we require our users to temporarily accept certificates for a web session. I'm not sure why myself, actually.
In the end, we just bit the bullet and bought ourselves one from Entrust.
Starbucks, Harbuckle of Breath.
This is either a really lame site that displays various error conditions or another reason to use MySQL; Verbose Exceptions: Warning: Too many connections in /var/www/pnadodb/drivers/adodb-mysql.inc.php on line 108
Warning: MySQL Connection Failed: Too many connections in /var/www/pnadodb/drivers/adodb-mysql.inc.php on line 108
mysql://LinuxLookup:@localhost/Rogue failed to connectToo many connections
I guess I could ask Valueweb to install it for me, but they sell their own Thawte or Geotrust SSL certs. For $160 a year. Think they'll install my free cert for free? (I honestly don't know)
Try InstantSSL. We use these across our medium sized server farm at work with no issues.
Um, no. Let's *really* think about what SSL is supposed to do: it is supposed to allow you to communicate to (for example) PayPal through routers controlled by (for example) an evil mastermind, but ensure that the evil mastermind can't read or modify your data, even though he is the one delivering it back and forth. The evil mastermind ends up with a complete transcript of your conversation (including the part where you send encryption keys back and forth), but he can't read any of it. Pretty cool actually. It is rather surprising (to me at least) that this is even possible.
However, without verification of identity, the whole scheme falls apart. Sure, you can still establish an encrypted connection, to somebody. But you don't know who! You could have just established an encrypted connection with the evil mastermind, who has programmed his routers to deliver your packets to him instead of PayPal. The encryption doesn't help so much when you send your enemies the key! If the evil mastermind is really clever, he will then establish a second encrypted connection to PayPal, and send your data through it. Now he can read your entire conversation with PayPal, just as if you weren't using any encryption at all, and you are no better off.
This is your basic "man-in-the-middle" attack, which everybody who has ever learned anything about security should know. I feel stupid even explaining it here (you knew this right? good), but apparently these guys haven't heard of it.
That's why SSL's identity verification is critical, not useless, and why VeriSign gets paid the money they do. Sure you can get your certs signed by Joe Blow for free. But if anybody can get a cert signed by Joe Blow (perhaps after a little bribe, say $1,000,000; chump change compared to how much organized crime could steal with a key to a large commerce site) then your cert is basically worthless, even for "only" encrypting traffic.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
they do nothing. For once, if the government had a CA authority and actually issue SSLs to companies that are registered with them, it would help. When you register for DBA (Doing Business As) or file articles of incorporation, they should be the ones to issue the certificates as they are the most qualified to judge authenticity and do ID checks. Isn't that the reason why we file these things with the government and NOT Verisign?
/ personal/index.html
This is the one place the government DOES need to be a part of, and yet they do not. Government in all the wrong places.... go figures.
Or when people WANT to be verified online, then the government should be the ones issuing the certificates. When a person say they are Joe Smith, which type of ID do you believe more? An ID issued by some company or a government issued driver's license/ID?
The government actually should have a Certification Authority freely (or some nominal fee) available to its citizens.
See, proper government involvement: http://www.hongkongpost.gov.hk/product/ecert/type
> If you can't afford a $200US/year fee for conducting "secure" business online, I probably wouldn't want to do business with you anyway.
It's not the money. Learn something about the issue before making idiotic remarks.
"Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure" By Carl Ellison and Bruce Schneier
http://www.schneier.com/paper-pki.html
Peter Gutmann's PKI Tutorial: "Everything you Never Wanted to Know about PKI but were Forced to Find Out"
http://www.cs.auckland.ac.nz/~pgut001/pubs/
pkitutorial.pdf
We've had free certificates (OCES, SSL, whatever) here in Denmark for years. It's a project initiated by the government and the largest telecom here, TDC.
We can even use it to pay our taxes! Yay!
According to this article on heise.de, StartCom generates the SSL certificate you order on their server, sign it, and send it to you.
How do I know that they don't keep a copy of the cert for their own use? They could impersonate my server any time with this.
"Oh, a lesson in not changing history from Mr I'm-my-own-Grandpa." - Dr Hubert Farnsworth
Any OS that lets any random user interrupt the CPU shouldn't... uh... be teaching CS. lol.
My other car is first.
Eg, do the most common browsers trust this cert issuers CA cert? If not, then you might as well just go with a self-signed cert - either way your visitors are going to get a 'big scary warning' from their browser. For securing your *own* access, to your *own* server/site, then a self-signed works just fine, you just have to add it to your browsers trust list the first time.
If you're in some random coffee shop, you have no idea what CAs they've installed in the browser. You can't check them either: fakes can look exactly like real ones on somebody else's computer.
Maybe you trust the coffee shop owner?
Fine, but are you sure they don't have a virus or malware on there changing the browser CAs?
If you want a real secret handshake, you need to take some piece of your own key-verification hardware in which contains the CAs that you trust.
-- Jamie
What nobody realizes is that certificates only actually solve a very small problem. They prove that a person is who they say they are. It's like picking up a hitchhiker because they've shown you their driver's license. The fact that they can prove who the are says nothing about the safety of actually letting the person into your car. Certificates provide a false sense of security, but making people think it's ok to install such-and-such active-x control, because it's signed. It doesn't matter if you can track down the person who created it once your data is all gone. Tracking the person down isn't going to get your data back.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Under which certificate authority are GoDaddy certs issued? I don't see any GoDaddy listing in the default CA entries in Firefox or IE 6.x.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
I was going to actually RTFA, but TFWS is slashdotted....
What I always wonder about, when free CAs are discussed, is: where does the CA get the myriabucks it costs to get a CA certificate distributed with a popular browser? A cert. signed by no one my browser ever heard of does not inspire a whole lotta confidence. I can go to the CA's site and get its cert., but...a self-signed cert. tells you *nothing*.
Having said that, I should also say that I have my own little CA here on my desktop, and I use it to coin cert.s for internal use. That sort of use makes sense, because anybody who needs to can come ask me about my CA and receive a hand-delivered copy of its cert. if he (wisely) so wishes.
But how does a CA become trusted when most of the world will never find it practical to visit in person? The browser vendors are the primary trusted introducers for the vast majority of users.
Well, like the german IT magazin Heise reports the new StartCom are really unsecure because of the point that Heise was able to get certicicates for any desired site with falsified owner 'information'.
And StartCom doesn't let you generate your private key by yourself - they generate it for you and send it via SSL web to you, so one doesn't know if they perhaps keep a copy of your private key.
After having read this I surely will not accept any SSL certificate from StartCom - I would rather accept a certificate from a private person.
I lag
create directory "con" /con/con.exe
create zero-byte-file "con.exe" in directory "con"
You WILL have to reboot...8p
Not the best way, true, but in IT it's the result that counts 8)
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
What I wanna to know is, how can I encrypt my email without paying for a certificate?
(Of course without having to do encryption/decryption manually. It should be seamless and automatic)
What you pay for with Verisign is the legal protection in case of theft, fraud etc up to $250K
:-)
Check http://www.verisign.com/repository/netsure/
I read most of the comments in this thread I think that everyone is missing the point why people get Verisign certificates. It's not just a string of automatically generated random characters, there's a huge insurance company and an army of lawyers behind it.
The cheap certificates do not have that kind of legal protection, and last time I checked CAcert.org does not offer any kind of protection at all
It's at ev1ervers.net.
$10/year (limited time, was $5 ~3 months ago), issued by freessl.com. Browser recognition is fairly good: IE >= 5.01, Netscape >= 7, Opera >= 7.53, Konqueror too (and thus Safari I assume, versions unknown).
It'd be asm("int 0x19"), and anyway, you can just replace the RETF opcode at the end of the main function with CD19 and you're good to go.
LRC, the best-read libertarian site on the web
Before you start criticizing, you should really read the posts and understand the point.
I said that because:
1. By using a self-generated SSL certificate, your users will see a browser warning.
2. Using a certificate from a "Trusted CA" - that is, one that is already approved by your OS/browser by default, will not display a warning.
3. If you have a site without SSL, I won't send you an sensitive information. I understand the other weaknesses in the system, but this is such a basic step to take.
4. There are many steps to take in creating a secure e-commerce transaction. Unfortunately, we can't see or check most of those steps. We definitely can check if the connection is secure via SSL. I believe a company that's willing to take that step is more likely to be concerned about security and privacy than a company that doesn't.
I expect SSL to do one thing - encrypt the communication between my computer and the server. After that, I have to trust the receiving site owner to be smart and ethical enough to provide security measures on their side. I have to trust the credit card company to protect my account from fraud. I have to trust the CA to have checked out the certificate holder and verified that they are, indeed, a legal entity that can be held accountable. All of these things add up to trust - if you don't trust the other party, then you shouldn't be doing business with them.
Which brings me back to my original statement - if the company doesn't have an SSL certificate, can you really trust them to provide security on any level?
If you want to secure your traffic sign the certificate yourself. Once the first-time-visitor adds it to his repository, it's as good as signed. And it's secure communication
OTOH, if you want to prevent dephasing and other attaks, yes, you may want an official CA.
But nobody can guarantee me what kind of man is the owner of the signed certificate. No CA in the world He can be evil but more likely he can be plain stupid and allow the private key to be copied by some means.
gtkaml.org
The version they are running is vulnerable to serveral phpBB vuln's including the ability to read arbitrary files. Funny for a site that is supposed to be secure and issue certs.
You can also see it from Microsoft's point of view: "Hello, Microsoft, we are some people that want to authenticate other people and we need you to authenticate you. You may have not heard about us, or maybe you have and you know we have no real money that could be used to pay for liabilities if we do the things wrong, but wouldn't it be good for you to have that new security hole on your OS? And yes, we may be good guys today, but tomorrow maybe we'll have left the project and the certificates will be in who knows what hands."
I do not mean that some money doesn't help, but there are other reasons here too...
Why can't
main:
:-). Same goes for int $0x19, unless you like segfaults :-).
pushl %ebp
movl %esp, %ebp
subl $8, %esp
andl $-16, %esp
movl $0, %eax
subl %eax, %esp
leave
ret
Retf? Get with the aughts
ABBRACADDABRA THE SLASHDOT LAMENESS FILTER SUCKS ABBRACADDABRA
How do you convince Joe TinFoilHat User that the Thawte/Verisign CA is safe?
Karma: It's all a bunch of tree-huggin' hippy crap!
IPSCA issue certs free to educational and non-profit orgs.
I've used tham and they seem ok.
Not the best browser support though.
I seem to recall that the OpenSSL toolkit has the tools necessary to create certificates. Or did I miss something about making and using certs?
Hmmmm
We were talking about DOS programming. Where else would you use INT 19? :) Well, I guess you could use the GNU assembler under DOS, but ....
LRC, the best-read libertarian site on the web
CACert.org has been providing free ssl certificates for well over a year. The one problem I perpetually find in the "free" and "open source" community, is that everyone want to reinvent the wheel, over and over and over again.
If things get better with age, then I am approaching magnificence.
Valicert certificates are in Firefox 1.0.1 (and I'd bet in Mozilla too). I just looked and also tested at https://www.godaddy.com/
Boffoonery - downloadable Comedy Benefit for Bletchley Park