Slashdot Mirror
Free SSL Certificate Project
An anonymous reader writes "Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself? Linuxlookup.com is running a small article on free SSL certificates."
It has always seemed strange to me that encryption via SSL and verification of your business identity were rolled into the same system.
I've had a few situations where I wanted to encrypt html and had no need of guaranteeing my server's identity to anyone. It seems like I should be able to encrypt traffic without having to jump through hoops and spend a lot of cash. Or without having a second class certificate.
I hope this new project succeeds.
Having an internet presence is critical to running a successful business venture. Also, the creation of a truly international digital economy necessitates the development of a trusted method of identity establishment. Especially in these days of questionable computer security and the impossibility of ascertaining identity from IP. Reliable certification is vital to the development of the internet economy.
However, the centralization of certification among a few organizations and their cost is shutting out smaller enterprises that don't have access to the fees or technology required. In effect, this institutes a kind of "information segregation" or isolationism that has the effect of a barrier to poorer nations - such as Nigeria or Rwanda - to the internet commerce that is so critical to the economy of the future.
As such, I believe the best scenario is free certification provided by ICANN that can certify pages from poorer nations, so they can compete on an even playing field with the wealthier nations. Giving out free certifications - one per IP address at least - is the best way to accomplish this, and will allow for confident and secure transmission of funds and information.
I'm using it as (loosly) 'reboot'
So thats rougly:
Windows in 6 Bytes (IA-32): Do nothing then reboot.
Windows in 6 Bytes (IA-32) : 90 90 90 90 CD 19
Does anyone even know what a man in the middle attack is anymore? Without certificates (or with easy to aquire certificates) we don't have a way to ensure that someone isn't spying on the encrypted traffic. This service will allow me to register a certificate that looks "just like" the one you expect to get from www.usemycreditcard.com and intercept your confidential details by presenting a key signed with that certificate to your browser. This is already happening with Verisign certificates, a case of them not doing their job, and now StartCom want to make it easier? I guess it doesn't really matter as the vast majority of people are too damn stupid to examine a certificate to ensure it is correct anyways.
How we know is more important than what we know.
You post your public key in your DNS record. DNS already maintains an identity system.
The trick with DK is to get the browser's to fetch the site's public key from the DNS record (it has to do the DNS query anyway) and use that in the handshaking.
Yes, there is the potential for someone to hijack the site, but that is getting more difficult. And, DK would be a free add-on to the DNS stuff you have to do anyway.
CA's are supposed to make their issuing policies publically available. One day a few years ago when I had too much time on my hands I went through and checked them all. Of the 100 odd root certificates that were originally installed in my browser, I threw out about half for not having their policy publically available in human readable form. I threw out most of the rest (including Verisign and Thawte's low-end certs) because their policy was too lax, but maybe I just have high standards.