Free SSL Certificate Project

An anonymous reader writes "Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself? Linuxlookup.com is running a small article on free SSL certificates."

cacert.org

[TypoNAM]

I've always used cacert.org for free SSL certificate s. :)

Re:cacert.org

[IchBinEinPenguin]

This mob will run into the same problems as CaCERT: convincing browser distributeers to include their root certificate.
(Hello Microsoft, We're a communist OpenSource project trying to educate netizens that they don't have to fork out gazzillions of dollars to big corporations use the Web. Would you mind helping us by including our root certificate with IE? Hello? Did we get cut off?)
Without that, the cert is not much better than a self-signed one.

Free.. Free.. FREE!

[humankind]

Get OpenSSL and roll your own, any time, any platform... always been that way... and this is news? Some script-kiddy-turned-public-relations-director figured this out? Good for j00. As for everyone else, nothing to see here that we don't already know.

Text of linked article from ... linked article...

Since the linked article is dying, who knows if you'll be able to even get the link to the real article. So here's your text, AC to keep the whoring in Vegas.

StartCom Free SSL Certificate Project

StartCom Free SSL Certificate Project The Idea:

Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself?

StartCom Ltd., the vendor and distributor of StartCom Linux Operating Systems, operates also MediaHost(TM), a hosting company specialized in DB and Java web application hosting and offers its clients SSL secured web sites with certificates signed by StartCom Ltd already for years. Here is, where the idea for this project originated: Free SSL certificates!

How?

Most web servers, such as Apache, IIS and others are capable of running the 128-bit secured and encrypted SSL protocol. All you need, in most cases, is a SSL certificate to make it work. StartCom is going to provide you with this certificate through a simple web based interface wizard and sign up process free of charge. Together with the installation instructions, you'll have your secured web site running within a few minutes.

Why?

Because we believe, that companies like Verisign, Thawte and others, just rip you off your money! Simply as that! Even the so called "Free SSL certificates" offered by some companies aren't free, but can cost you up to a US $ 100 or even more.

More than that, lets think about, what SSL is supposed to do: Encrypt and secure the traffic between a browser and the server! Point! It is not supposed to give you the impression, that a website is trustworthy or even say anything about its identity...for this you should use your brain and common sence.* Anybody can get a SSL certificate and as such does not give any type of warranty about the intensions, or quality of products, of the website or its owners! We'll prove here, that SSL certificates can cost much less or may be even free of charge! If enough people are using our certificates and stop buying them, well, than the existence of these companies will vanish and we'll all win another piece of freedom!

* We'll offer in the future, some sort of verified SSL certificates, but on this later...

Where, when?

Convinced? We build and tested this web site during February 2005, so you'll be able to get a SSL certificate for free. Use the links below to get your free certificate now! Please spread the word about this project to your friends (by having a link to our web site?). Contact us, if you want to contribute. And....spend your money on better things! There are enough good causes to support!

comodo.com

[Neil+Blender]

$50 per year per certificate. I've had no problems getting them to work with all browsers. Since I can't read the article, are they giving out real authority certs? Ones that your browser won't pop up the window saying it's untrusted?

If not, here is a recipe for free signed certificates:
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

./sign.sh server.csr

Re:Well....

[glwtta]

How does that make sense? Anyone can get one, the point is that you should be able to match up the certificate to its owner, with some degree of certainty.

And getting one isn't the issue at all - you can generate as many as you want yourself - it's getting one that means something that's the issue.

Woweee

[TheVidiot]

When you finally get to the site that is offering the certs (http://cert.startcom.org/) all you find is bad grammar and certs that aren't recognized by any browser (i.e. warnings pop up). It's admirable that the site wants to issue free certificates, but you won't find many surfers willing to trust them. Also, you can create your own certs with minimal effort, and you'll end up with the same thing.

In theory maybe

[Chuck+Chunder]

In practice the ID checks that I've seen done are fairly flimsy. And with "hundreds" of dollars being charged by big name certifying authorites there is strong motivation for them to just give you the cert (and take your money) once you've faxed them a couple of vaguely official looking signed bits of paper.

Anyone paying "hundreds" of bucks for a certificate is being scammed though. Much cheaper ones are available from people like GoDaddy. I can't see why anyone wouldn't just go for the $29 one, your users won't notice any difference between them unless they are particularly inquisitive and enjoy poking around obscure browser dialogues.

Re:In theory maybe

[xWakawaka]

Speaking of theory... let's clarify how this works.

Generating a certificate/key-pair is trivial. You can do it yourself for free or have a 3rd party do it free or at mild to great expense.

In theory, a certificate is only useful in verifying the identity of a resource (server authentication of a web server in this case) so long as you trust the issuing authority, and therefore you take it on the issuing authority's word (cert is signed with the authority's private key) that the server at the end of https://companyA.com really belongs to companyA. You trust the issuing authority to have verified this fact for you. That's all server authentication consists of.

In theory, then, the critical question is 'what certificate authorities do you trust to make that kind of verification on your behalf?'

In general practice, however, all this boils down to is 'what certificate authorities are shipped as "trusted" on an out of the box install of the dominant platform/browser?' This, of course, includes Verisign, Thawte, and serveral others that have gone through both a PKI practices certification process and what must surely be an expensive business relationship with Microsoft.

So, as a server administrator, you either pay up for a cert from one of these widely "trusted" authorities, or explain to your users wy they should either import your CA as a trusted root, or otherwise deal with the warning messages that the browser will issue if your cert comes from anyone "untrusted", including yourself.

And, as has been alluded to, one you are past the server authentication usage of the PKI, the session key exchange for bulk encryption (SSL) can be handled equally well by any technically correct certificate/key-pair, regardless of the trust chain.

Re:If you want a "real" one

[jonfelder]

Didn't these people buy SCO linux licenses? Why on earth would I give them money?

Ummmm... Why???

[James+Wells]

cacert.org is doing everything these guys are, and then some. cacert.org is free, but with a much higher level of personal confidence than Verisign, Thawt, or any others that I know of.
Additionally, with cacert.org, you are able to get more than just server certs and keys.

Re:Separate

[pchan-]

Any web browser will warn strongly that the certificate is not issued by a trusted organization, but you said you don't need to prove your identity, so this should perfectly suit your needs.

You do realize that if you can't prove your identity, your clients are vulnerable to man-in-the-middle attacks, right? How's the browser to know if it's your server they're talking to, or to someone else who signed their own cert and is impersonating you (and proxying its transactions to you, logging or modifying them along the way)? Authority signed certificates give you this ability. Self-signed certificates do not provide complete transport-layer security.

This is not to say that the signing authority can't be free. It's about time someone did it.

breaking the monopoly on certs

[wayne]

Ok, I've seen lots of posts from people saying that certs are a rip off. Getting a cert from someone means that they trust you enough to accept money from you, and that is about it.

I've also seen a lots of posts from people saying that you can generate a self-signed cert for free. The problem with these self-signed certs is that you get a pop-up from your browser warning you that the cert isn't trusted.

It appears to me that cert.startcom.org is trying to do something different: They are handing out certs with them as the root authority and giving information about how to install their cert as acceptable by your browser. If enough people do this, then major browsers will "have" to start including startcom.org's certs in their distributions. Until that happens, you still get a reduced number of cert pop-ups because many different websites will be using the same "non standard" cert authority.

You will get all the cheapness of self-signed certs with all the security of a cert from verislime or thawte. After all, the only real security with regular certs is that the traffic between your broswer and the website is encryptied.

Re:The problem with all SSL certs...

[Beryllium+Sphere(tm)]

The entire point of using certificates is so that you know that there is a certified binding between a public key and an identity. If you don't know who will recieve your encrypted information then there's no point encrypting it in the first place!

Yes, the cheapest and easiest attack against a public-key crypto system is to trick someone into encrypting to the wrong public key. That is the problem that certificates are supposed to solve. Nor is it just a theoretical problem, because already one "Internet marketing" company has been intercepting SSL transactions.

For a (partial) list of the design and implementation problems that interfere with certificates actually solving the problem, check out Peter Gutman's scathing critique of X.509-based PKI.

It's about trust

[js3]

Anyone can make a certificate, hell you can make one yourself. The whole point of a issuing certificates is about delegating trust. Verisign, Thawte, etc are trusted. Some company that gives it out for free without any sort of checking is not.

Re:Why shouldn't certification be free?

[XorNand]

2. Virtual hosts often share a single IP among many websites. You can't just authorize a name; SSL requires (from my understanding) a unique IP. That would make the IPv4 system even more strained.

SSL doesn't require a unique IP. The problem is that you can't use SSL with host headers, which is the trick that allows multiple websites to resolve to the same IP. Normally HTTP just serves back whatever content is on port 80 when a browser requests a connection. With HTTP/1.1 host headers were introduced which allowed the client to request a specfic hostname at that IP addresses, in effect allowing you to run multiple domains on a single IP address. This is was is incompatible with SSL.

GoDaddy will give you a *real* free SSL cert...

[bigtangringo]

...If you are doing it for an OpenSource project:
https://www.godaddy.com/gdshop/ssl/ssl_o pensource. asp

Not to mention, it's the cheapest SSL cert I know of at $30/year.

Re:Why shouldn't certification be free?

[ip_fired]

2. Virtual hosts often share a single IP among many websites. You can't just authorize a name; SSL requires (from my understanding) a unique IP. That would make the IPv4 system even more strained.

This is the case if you want to use the default HTTPS port (443) since the hostname is encrypted. However, you can use your certificate on other ports. Just have your webserver listen to port 4443, and then in your links, just put https://yourhost.com:4443/ and it works great.

When I was running a small webhost business, instead of getting a new IP for each cert, I'd just put them on different ports.

Also, the IPv4 system isn't as strained as it used to be. With NAT, and creative netmasks, they have been able to spread out the IPs more efficiently. I wish it *were* more strained, because then they might be forced to actually switch over to IPv6.

SSL Certificates can be had quite a bit cheaper

[ddent]

We issue SSL Certificates with prices a good deal less than hundreds upon hundreds of dollars. Our certificates are issued with a root that already exists in browsers, and we do ID verification (but remain flexible - we will issue certificates to both corporations and natural persons, i.e. people). In terms of keeping the encryption meaningful, using a self-signed certificate doesn't cut it - it makes it trivial for the right person to perform a man-in-the-middle attack.

As much as I'd love to say otherwise, the SSL business is actually quite competitive these days -- the days of a 128-bit certificate costing at least $895 are long gone.

The Meaning Of All This For Mere Mortals...

[smug_lisp_weenie]

Let's suppose you take your PC to a coffee shop and want to read your stock-r-us.com stock portfolio...

...even though there are already PLENTY of free certificate providers out there today, stocks-r-us has to pay big big bucks to one of a few certificate agencies- There's absolutely, positively, no way around this currently, for complex reasons that are hard to explain briefly, but I'll give it a shot...

First of all, there are two things, at the minimum, you need to talk to stocks-r-us over the internet securely from a coffee shop:

1. An encrypted communication channel (this is handled by public key and symmetric key encryption protocols)
2. A guarantee that the person you are talking to over the 'net really is stocks-r-us and not an impostor.

All this fancy talk in this slashdot story involves this second step in this process... so how can you get this no-impostor guarantee? Well, the most basic way would be to ask stocks-r-us a secret question only they could answer, sort of like a "secret handshake". An SSL certificate is simply a "secret handshake". (well, not so simply, but just accept this idea for now...) So in order to make sure the company you're talking to over the 'net is your stocks-r-us, you check to see if they know the stocks-r-us secret handshake. Problem solved...

...or not: This works fine if YOU know how to recognize the stocks-r-us secret handshake, but, for technical reasons, this is only possible if your computer and stocks-r-us have chatted in the past (i.e. you've used your computer before to sheck your stocks) if not, there's no way you can get the jimmy on how to tell a genuine stocks-r-us secret handshake.

This is where a certificate authority comes in: You can get a third person (whose handshake you do know) to give you stocks-r-us' secret handshake. There are many many organizations that offer free (or not free) services to act as this third person (i.e. as a "CA") So stocks-r-us can just sign up with one of these companies to give them the secret handshake info- Problem solved...

...or not: The user of their has to already know the handshake of the CA for this to work ahead of time, or the proverbial "house of cards" will just fall apart anyway... How can they be sure you already have the "secret hanshake" of this third person/CA?

Well, the answer is pretty goofy... the "handshake" of the CA has to be "hardwired" into every copy of Firefox/Internetexplorer/Safari/etc when it is installed. If you go to the settings of your browser, you'll see a list of CAs already placed in by Microsoft/Apple/Mozilla/etc right out of the box! That's the only way this could work...

...so you might be wondering: Don't the CA companies in this initial list of built-in handshakes have some kind of monopoly/oligopoly? The answer, of course, is YES: These special CAs charge monopoly-style prices for their services for this very reason. The point of this slashdot article is that an non-profit group wants to somehow make Microsoft/Apple/Mozilla/etc to put it in this super-duper "handshake" list, but it promises it won't charge everyone big bucks who wants to use them as their third party.

(I'm no expert on this, so any experts are welcome to reply to my post to make any corrections if there are any errors of substance...)

Re:Well....

[ljhiller]

I suspect you would have a hard time getting a certificate from Verisign with the name "Microsoft" or "National Security Agency".

I can't begin to imagine why why you would say this.

Re:sweet

[flakac]

If you don't feel like forking over money, download OpenSSL and generate your own certs. Here's a good how-to if you're interested. But if you go this route, your users will either have to install your root certificate into their browser's trusted store (I don't recommend this, but hey, it's your computer), or they'll have to click through an annoying dialog warning that the certificate is not trusted.

What you're paying for when you buy a certificate is not so much the certificate itself, but for the processes surrounding the issuing of said certificate. When getting a certificate, you must prove to the registration authority that you are who you are, and that you have the legal right to obtain a certificate for your organization. Only after this verification has taken place will you be issued a certificate from a trusted authority. But your users can examine the certificate's chain of trust, and verify who they're talking to. Impossible to do with a self-signed or otherwise untrusted certificate.

Re:Yes, but is their root known?

[The+Cisco+Kid]

To answer my own post, after reading thru their site, it apepars that no, they are an unknown root. Chicken-and-egg. Until they get their CA auth in the major browsers, no one will be able to use certs from them for anything the public will be accessing. And until lots of people are using them, they wont be able to get in the browsers.

Also, they don't seem to permit you to provide your own CSR, which as someone else noted somewhat vaguley, is a MAJOR security problem. A cert signer should *never* have access to your private key - you make the key on your system, use it to make a CSR, then they sign the CSR. The resulting signed cert is only then usable if you have both it and the private key.