Slashdot Mirror
Free SSL Certificate Project
An anonymous reader writes "Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself? Linuxlookup.com is running a small article on free SSL certificates."
Sweet! I've never liked the idea of forking over money so that your site is deemed secure.
It has always seemed strange to me that encryption via SSL and verification of your business identity were rolled into the same system.
I've had a few situations where I wanted to encrypt html and had no need of guaranteeing my server's identity to anyone. It seems like I should be able to encrypt traffic without having to jump through hoops and spend a lot of cash. Or without having a second class certificate.
I hope this new project succeeds.
It's nice to be able to get free stuff online. I've been known to grab my share of free movies and music from time to time myself, but when it comes to things that are so critical to the security of my servers, I'm a little more careful.
That is not to say that the particular people in the article are crooked -- I'm sure they're on the level. I'm just saying that as this kind of thing becomes popular, you can be sure some computer hackers out there will try to co-opt the good name of services like these so they can give out compromised certificates and steal information from you and your customers.
The bottom line is: When it's free, you just never know. A thousand eyes only get you so far. This is why I tend to stick to software backed by a solid corporate history on my own production servers. It's just not worth the risk to skimp on costs when the fact is your entire business is on the line there.
You just have to know who you're dealing with when you get into this kind of thing. Are you dealing with someone honest or are you dealing with some sort of shady basement operation that moved to Canada to avoid cryptography laws? When mission critical information is at stake, this stuff counts.
A Proud Member of the Reality Oriented Community.
Personally I think the government would be well suited to do this sort of thing. Maybe provide them when you get a drivers license or a business license. Its not like it takes massive amounts of money to see if you really are who you say you are. And why the expiration dates(well, of course, they're another way to screw people out of $$, but what's the certificate providers excuse/reason for them?)
Every time you post an article on Slashdot, I kill a server. Think of the servers!
Having an internet presence is critical to running a successful business venture. Also, the creation of a truly international digital economy necessitates the development of a trusted method of identity establishment. Especially in these days of questionable computer security and the impossibility of ascertaining identity from IP. Reliable certification is vital to the development of the internet economy.
However, the centralization of certification among a few organizations and their cost is shutting out smaller enterprises that don't have access to the fees or technology required. In effect, this institutes a kind of "information segregation" or isolationism that has the effect of a barrier to poorer nations - such as Nigeria or Rwanda - to the internet commerce that is so critical to the economy of the future.
As such, I believe the best scenario is free certification provided by ICANN that can certify pages from poorer nations, so they can compete on an even playing field with the wealthier nations. Giving out free certifications - one per IP address at least - is the best way to accomplish this, and will allow for confident and secure transmission of funds and information.
I'm using it as (loosly) 'reboot'
So thats rougly:
Windows in 6 Bytes (IA-32): Do nothing then reboot.
Windows in 6 Bytes (IA-32) : 90 90 90 90 CD 19
And have these insurers ever actually paid out? If not, then what's the point? If yes, how come there's no relation between what they charge to get a certificate and the value of the transaction?
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Does anyone even know what a man in the middle attack is anymore? Without certificates (or with easy to aquire certificates) we don't have a way to ensure that someone isn't spying on the encrypted traffic. This service will allow me to register a certificate that looks "just like" the one you expect to get from www.usemycreditcard.com and intercept your confidential details by presenting a key signed with that certificate to your browser. This is already happening with Verisign certificates, a case of them not doing their job, and now StartCom want to make it easier? I guess it doesn't really matter as the vast majority of people are too damn stupid to examine a certificate to ensure it is correct anyways.
How we know is more important than what we know.
You post your public key in your DNS record. DNS already maintains an identity system.
The trick with DK is to get the browser's to fetch the site's public key from the DNS record (it has to do the DNS query anyway) and use that in the handshaking.
Yes, there is the potential for someone to hijack the site, but that is getting more difficult. And, DK would be a free add-on to the DNS stuff you have to do anyway.
I thought the whole point of SSL is that not just anyone could get a cert...
Exactly.
I would only support a system that had many levels of validation.
1. You create an account and submit your site.
2. There would be a required waiting period of 30 days.
3. You would login to your account and request that your site be reviewed.
4. You must submit a deposit of $10 which will be returned when your site has been approved. If your site was not approved you must login to your account and request a refund.
5. Your site would be reviewed by PAID employees. The funds will come from site advertisements and deposits from sites that were not approved and returned.
6. Profit?
A free system can exist but it must be HARD to get the certificate.
You don't get it. It is like the Linux vs Windows battle. If everyone starts using cacert and the free browsers (firefox,safari,opera,konqurer) include it as a trusted CA then those prompts GO AWAY. Suddenly the SSL cert market doesn't look so good, prices drop.
I think cacert has a very good program. You want a real cert then someone local has to verify your ID. It takes the money out and puts the trust back into SSL.
Unless you work there, Verisign is just a faceless enigma. You know more about your father's brother's nephew's cousin's former roommate, than you know about Verisign.
If a cert is signed only by Verisign (and the nature of X.509 certs is that they only have one CA) then you have to decide to either trust it completely, or trust it not at all. And if, like 99.999999% of the population, you simply have no clue as to whether or not Verisign can be trusted, best practices are to assume the worst, and the certs are effectively meaningless, whether they are signed by Verisign or by some kid in his basement.
As it turns out, there's a better way: PGP. PGP uids can be signed by multiple entities, so if you have a clue about some signers and no clue about others, you can throw out the info that means nothing to you, and still take advantage of the info which has meaning. And even for the signatures that you're uncertain about, if you're willing to quantify how uncertain you are, then you can multiply uncertainties, based on the idea that conspiracies are hard to pull off.
The only problem with PGP, is that use of it in concert with secure connections, hasn't really caught on. But surprisingly, the idea isn't unheard of or completely dead, either. If people ever start to take internet security really seriously, there are projects like GnuTLS. It's a long way off from the mainstream, but just about everything we take for granted these days, was like that at one time. :-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Are people really so childish to believe that there is no relationship between big software manufacturers, and the big profit-producing cert authorities? Try to use even a mid-tier (I am not even getting to the free ones) authority, like Thawte, and let me know if you will ever get the Jinitiator client in Oracle 9i working, without manually redistibuting a new cert file to all clients ... what you end up doing is paying Verisign a few more thousands, for all the servers, to avoid paying the admins tens of thousands, to customize clients, distributions and updates ...
== With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
This is followed by an excellent explanation of how the whole thing works. But I can't get past this opening sentence. If I run your wireless access point, I pretty much control your DNS. It would be trivial to point yahoo.com to my own web server, and deliver a complete mockup of their site, including the login page. After you log in, I return a "We're sorry, our mail system is temporarily unavailable." message. Now I have your login information, and it will never occur to you that an SSL session was never initiated because you simply clicked a few buttons or links that used regular HTTP, and the rest of the Internet was accessible as usual.
With major municipalities considering citywide deployment of wireless access points, this could easily be the phishing of the future. Hell, I could set this up on a windowsill and collect login information for any number of domains. Nobody checks how they've connected once they have a signal.
I'm a reseller for InstantSSL. If you purchase credits on their system and act as a reseller (not just an affiliate), you get certificate requests coming to you. All you do is go online, approve the request, and it's issued. Customers have done this and apparently they don't go through any extra screening, even for a code signing cert.
Anyone have a different experience?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
We've had free certificates (OCES, SSL, whatever) here in Denmark for years. It's a project initiated by the government and the largest telecom here, TDC.
We can even use it to pay our taxes! Yay!
How do you define trust? Do you trust someone like Verisign?
http://infosecuritymag.techtarget.com/2001/mar/
digest26.shtml#news2
According to this article on heise.de, StartCom generates the SSL certificate you order on their server, sign it, and send it to you.
How do I know that they don't keep a copy of the cert for their own use? They could impersonate my server any time with this.
"Oh, a lesson in not changing history from Mr I'm-my-own-Grandpa." - Dr Hubert Farnsworth
Thawte and CAcert have a Web Of Trust (WOT) to deal with the trust issue. I'm a notary myself for both Thawte and CAcert and an ID of a person is not trsuted until mutiple! notaries have physically verified a person with photo ID. I take my notary job very seriously, and I think all notaries do.
StarTrek.org Free Webmail
CA's are supposed to make their issuing policies publically available. One day a few years ago when I had too much time on my hands I went through and checked them all. Of the 100 odd root certificates that were originally installed in my browser, I threw out about half for not having their policy publically available in human readable form. I threw out most of the rest (including Verisign and Thawte's low-end certs) because their policy was too lax, but maybe I just have high standards.