Slashdot Mirror
Free SSL Certificate Project
An anonymous reader writes "Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself? Linuxlookup.com is running a small article on free SSL certificates."
Sweet! I've never liked the idea of forking over money so that your site is deemed secure.
I thought the whole point of SSL is that not just anyone could get a cert...
TODO: Something witty here...
Just explain to your customers why you cert isnt registered.
I've always used cacert.org for free SSL certificate s. :)
This space is not for rent.
Secure certs are one of the biggest ripoffs known to man. The sad fact is that they really only prove that money was able to change hands. This is way, way overdue.
Dog is my co-pilot.
Are steak-knives included in the article? Here's a tip for the AC. Don't make your post sound like a cheap advert. This is a news aggregator (well, it claims to be anyway). Articles should have summaries in a manner that most respected news-sources use. Not like some used car salesman. And if this is off-topic. Sorry, but I'm discussing all that I can, the article summary. The site's down so I can't read the article itself.
Anyone CAN get one! All you have to do is pay X amount of money.
Besides, do you really trust people such as Verisign to actively control certs?
It has always seemed strange to me that encryption via SSL and verification of your business identity were rolled into the same system.
I've had a few situations where I wanted to encrypt html and had no need of guaranteeing my server's identity to anyone. It seems like I should be able to encrypt traffic without having to jump through hoops and spend a lot of cash. Or without having a second class certificate.
I hope this new project succeeds.
Like being able to self-issue a certif is new? Used some random tool that came with MS Office to do it last time I had a use for one, of course that was Office 2K or thereabouts but it's probably still there, and there are probably alot of other ways to self-issue one. The entire point of the big expensive ones is that you have a "trusted" authority validating the transaction.
Get OpenSSL and roll your own, any time, any platform... always been that way... and this is news? Some script-kiddy-turned-public-relations-director figured this out? Good for j00. As for everyone else, nothing to see here that we don't already know.
Since the linked article is dying, who knows if you'll be able to even get the link to the real article. So here's your text, AC to keep the whoring in Vegas.
StartCom Free SSL Certificate Project
StartCom Free SSL Certificate Project The Idea:
Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself?
StartCom Ltd., the vendor and distributor of StartCom Linux Operating Systems, operates also MediaHost(TM), a hosting company specialized in DB and Java web application hosting and offers its clients SSL secured web sites with certificates signed by StartCom Ltd already for years. Here is, where the idea for this project originated: Free SSL certificates!
How?
Most web servers, such as Apache, IIS and others are capable of running the 128-bit secured and encrypted SSL protocol. All you need, in most cases, is a SSL certificate to make it work. StartCom is going to provide you with this certificate through a simple web based interface wizard and sign up process free of charge. Together with the installation instructions, you'll have your secured web site running within a few minutes.
Why?
Because we believe, that companies like Verisign, Thawte and others, just rip you off your money! Simply as that! Even the so called "Free SSL certificates" offered by some companies aren't free, but can cost you up to a US $ 100 or even more.
More than that, lets think about, what SSL is supposed to do: Encrypt and secure the traffic between a browser and the server! Point! It is not supposed to give you the impression, that a website is trustworthy or even say anything about its identity...for this you should use your brain and common sence.* Anybody can get a SSL certificate and as such does not give any type of warranty about the intensions, or quality of products, of the website or its owners! We'll prove here, that SSL certificates can cost much less or may be even free of charge! If enough people are using our certificates and stop buying them, well, than the existence of these companies will vanish and we'll all win another piece of freedom!
* We'll offer in the future, some sort of verified SSL certificates, but on this later...
Where, when?
Convinced? We build and tested this web site during February 2005, so you'll be able to get a SSL certificate for free. Use the links below to get your free certificate now! Please spread the word about this project to your friends (by having a link to our web site?). Contact us, if you want to contribute. And....spend your money on better things! There are enough good causes to support!
Common sense says, make sure the StartCom CA Certificate is not on any of my machines!
The entire point of using certificates is so that you know that there is a certified binding between a public key and an identity. If you don't know who will recieve your encrypted information then there's no point encrypting it in the first place!
$50 per year per certificate. I've had no problems getting them to work with all browsers. Since I can't read the article, are they giving out real authority certs? Ones that your browser won't pop up the window saying it's untrusted?
./sign.sh server.csr
If not, here is a recipe for free signed certificates:
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
you can do it yourself if you want, but the user will be prompted with a scary dialog because your self-signed cert doesnt come built into the browser
for encryption this doesnt matter but on an ecommerce site transparent http>https is essential, if a user becomes accustomed to warning dialogs they will learn to ignore them (witness activeX spyware installs)
so signing certs is easy, signing non-prompting certs is why people pay the money
In fact, even mod_ssl has information on how to do so on the site:
http://www.modssl.org/docs/2.6/ssl_faq.html#ToC27
- - - - - Fear not the reaper, but my shiny white teeth.
It's nice to be able to get free stuff online. I've been known to grab my share of free movies and music from time to time myself, but when it comes to things that are so critical to the security of my servers, I'm a little more careful.
That is not to say that the particular people in the article are crooked -- I'm sure they're on the level. I'm just saying that as this kind of thing becomes popular, you can be sure some computer hackers out there will try to co-opt the good name of services like these so they can give out compromised certificates and steal information from you and your customers.
The bottom line is: When it's free, you just never know. A thousand eyes only get you so far. This is why I tend to stick to software backed by a solid corporate history on my own production servers. It's just not worth the risk to skimp on costs when the fact is your entire business is on the line there.
You just have to know who you're dealing with when you get into this kind of thing. Are you dealing with someone honest or are you dealing with some sort of shady basement operation that moved to Canada to avoid cryptography laws? When mission critical information is at stake, this stuff counts.
A Proud Member of the Reality Oriented Community.
When you finally get to the site that is offering the certs (http://cert.startcom.org/) all you find is bad grammar and certs that aren't recognized by any browser (i.e. warnings pop up). It's admirable that the site wants to issue free certificates, but you won't find many surfers willing to trust them. Also, you can create your own certs with minimal effort, and you'll end up with the same thing.
Personally I think the government would be well suited to do this sort of thing. Maybe provide them when you get a drivers license or a business license. Its not like it takes massive amounts of money to see if you really are who you say you are. And why the expiration dates(well, of course, they're another way to screw people out of $$, but what's the certificate providers excuse/reason for them?)
Every time you post an article on Slashdot, I kill a server. Think of the servers!
In practice the ID checks that I've seen done are fairly flimsy. And with "hundreds" of dollars being charged by big name certifying authorites there is strong motivation for them to just give you the cert (and take your money) once you've faxed them a couple of vaguely official looking signed bits of paper.
Anyone paying "hundreds" of bucks for a certificate is being scammed though. Much cheaper ones are available from people like GoDaddy. I can't see why anyone wouldn't just go for the $29 one, your users won't notice any difference between them unless they are particularly inquisitive and enjoy poking around obscure browser dialogues.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
hmm, it seems maybe they should have written about MySQL Connections... ;)
Here's what I do: Bitty Browser & Andromeda
Didn't these people buy SCO linux licenses? Why on earth would I give them money?
Having an internet presence is critical to running a successful business venture. Also, the creation of a truly international digital economy necessitates the development of a trusted method of identity establishment. Especially in these days of questionable computer security and the impossibility of ascertaining identity from IP. Reliable certification is vital to the development of the internet economy.
However, the centralization of certification among a few organizations and their cost is shutting out smaller enterprises that don't have access to the fees or technology required. In effect, this institutes a kind of "information segregation" or isolationism that has the effect of a barrier to poorer nations - such as Nigeria or Rwanda - to the internet commerce that is so critical to the economy of the future.
As such, I believe the best scenario is free certification provided by ICANN that can certify pages from poorer nations, so they can compete on an even playing field with the wealthier nations. Giving out free certifications - one per IP address at least - is the best way to accomplish this, and will allow for confident and secure transmission of funds and information.
cacert.org is doing everything these guys are, and then some. cacert.org is free, but with a much higher level of personal confidence than Verisign, Thawt, or any others that I know of.
Additionally, with cacert.org, you are able to get more than just server certs and keys.
"Individuals are smart, people are stupid" -- Tommy Lee Jones as "K" from Men In Black
Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate?
WTF is "SSL aware"?
I have had no problem creating and using self signed certs with SSL.
--fatboy
Oh and he was protecting his customers by parading around to the press with his lips attached to Daryl's buttocks right? You do remember him traveling around with Daryl spewing their BS to everyone right? Give me a frigging break I won't buy crap from them, I also refuse to help anyone hosting stuff on their servers.
Got Code?
Think about this for a minute... The purpose of SSL is not to secure data during transport, it is to secure data during transport AND to verify to the sender that the reciever is who they claim to be.
Without identity verification there is NO POINT in encryption for most usages.
The point is to make the person who is submitting their credit card number resonably secure in the knowledge that they are sending it to who they think they are. This cannot happen without identity verification.
- sigs are stupid
I'm using it as (loosly) 'reboot'
So thats rougly:
Windows in 6 Bytes (IA-32): Do nothing then reboot.
Windows in 6 Bytes (IA-32) : 90 90 90 90 CD 19
And have these insurers ever actually paid out? If not, then what's the point? If yes, how come there's no relation between what they charge to get a certificate and the value of the transaction?
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Does anyone even know what a man in the middle attack is anymore? Without certificates (or with easy to aquire certificates) we don't have a way to ensure that someone isn't spying on the encrypted traffic. This service will allow me to register a certificate that looks "just like" the one you expect to get from www.usemycreditcard.com and intercept your confidential details by presenting a key signed with that certificate to your browser. This is already happening with Verisign certificates, a case of them not doing their job, and now StartCom want to make it easier? I guess it doesn't really matter as the vast majority of people are too damn stupid to examine a certificate to ensure it is correct anyways.
How we know is more important than what we know.
Ahhh yes, not the preferred method of rebooting =D
They should've told SCO to stuff it. Their money (ev1's) went to help SCO perpetuate this crap on others. By extension, so did their customers' money. I know if I were an ev1 customer I would've gone balistic and dropped them immediately. I imagine many people did. If everyone stands up to SCO, what they going to do?
I'm not so certain I believe their excuse that they were protecting customers. Let the customers decide if they want to purchase SCO licenses. EV1 has the resources to fight and that's what they should've done.
I certainly see no reason to give them more money. I'd choose a different SSL provider that is not verisign (they suck too) that didn't give money to SCO, even if that provider cost more.
I've also seen a lots of posts from people saying that you can generate a self-signed cert for free. The problem with these self-signed certs is that you get a pop-up from your browser warning you that the cert isn't trusted.
It appears to me that cert.startcom.org is trying to do something different: They are handing out certs with them as the root authority and giving information about how to install their cert as acceptable by your browser. If enough people do this, then major browsers will "have" to start including startcom.org's certs in their distributions. Until that happens, you still get a reduced number of cert pop-ups because many different websites will be using the same "non standard" cert authority.
You will get all the cheapness of self-signed certs with all the security of a cert from verislime or thawte. After all, the only real security with regular certs is that the traffic between your broswer and the website is encryptied.
SPF support for most open source mail servers can be found at libspf2.
For a (partial) list of the design and implementation problems that interfere with certificates actually solving the problem, check out Peter Gutman's scathing critique of X.509-based PKI.
Anyone can make a certificate, hell you can make one yourself. The whole point of a issuing certificates is about delegating trust. Verisign, Thawte, etc are trusted. Some company that gives it out for free without any sort of checking is not.
did you forget to take your meds?
Warning: Too many connections in /var/www/pnadodb/drivers/adodb-mysql.inc.php on line 108
Really great article...
Go Daddy.com recently annouced they were offering free SSL certificates for Open Source Projects:
Go Daddy.com
You post your public key in your DNS record. DNS already maintains an identity system.
The trick with DK is to get the browser's to fetch the site's public key from the DNS record (it has to do the DNS query anyway) and use that in the handshaking.
Yes, there is the potential for someone to hijack the site, but that is getting more difficult. And, DK would be a free add-on to the DNS stuff you have to do anyway.
The problem happens if a "trusted" authority issues certificates for sites like these. Then people go to to the site, think everything is okay, and securely give out information to the phishers. This is why automatically trusting these free certs is stupid and why you might as well just make your own certificate.
Reminds me of one time back in HS. We didn't like our CS teacher and for our final project in C every student put a call to INT 19 at the end of their code, so when she was through running and grading our program it'd reset her computer. I don't think she ever figured it out.
------
"And may your days be long upon the earth."
...If you are doing it for an OpenSource project:o pensource. asp
https://www.godaddy.com/gdshop/ssl/ssl_
Not to mention, it's the cheapest SSL cert I know of at $30/year.
Yes, I am a smart ass; it's better than the alternative.
You don't get it. It is like the Linux vs Windows battle. If everyone starts using cacert and the free browsers (firefox,safari,opera,konqurer) include it as a trusted CA then those prompts GO AWAY. Suddenly the SSL cert market doesn't look so good, prices drop.
I think cacert has a very good program. You want a real cert then someone local has to verify your ID. It takes the money out and puts the trust back into SSL.
Many fine, relevant comments have already been made in this thread. But I didn't see anyone point out the downside of free SSL certificates: free phishing sites!
Yes, it's possible to freely self-sign certificates to get encryption. I run my own certificate authority for encrypting traffic among my clients, if they aren't conducting e-commerce. These self-signed certificates work fine without triggering a browser warning--if you import the certificate authority certificate.
For my public/e-commerce sites, I use FreeSSL, at $35/year. This buys me a blessing from a CA that is pre-installed in over 95% of all browsers in use. What's not covered? Konqueror. Curl. I think Safari, though I haven't checked recently. For my clients who want those to work, I suggest spending the ~$120 or so for a Geotrust cert.
Now, imagine if every spammer in the world could get an SSL certificate for free... Already domains are cheap enough that they can set them up to easily spoof real web sites--banks, etc. Imagine if every one of those had an SSL certificate, and didn't trigger a browser warning? Most people I know look for the lock. If the lock is there, they trust the site. They don't actually look at the certificate, or even the URL much.
For this reason alone, I'm glad certs aren't free. You can do encryption for free, but I'd prefer my browser to at least let me know the site I'm visiting is too cheap to buy a real cert. (that's not meant as a slam, since I'm too cheap to buy one for most of my sites...).
Cheers,
Freelock Computing
Open Source Solutions for Small Business Problems
Freelock Computing
You can create your own SSL Certificate, however whoever visits your server must chose to accept it. Just because it isn't "Certified" doesn't mean that your site is insecure.
The GoDaddy certs are compatible with pretty much every browser in use today....
Internet Explorer 5.01 and higher
AOL 5 and higher
Netscape 4.7 and higher
Opera 7.5 and higher.
Safari on Mac OS X 10.3.4 or higher
Mozilla (all versions)
Firefox (all versions)
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Are people really so childish to believe that there is no relationship between big software manufacturers, and the big profit-producing cert authorities? Try to use even a mid-tier (I am not even getting to the free ones) authority, like Thawte, and let me know if you will ever get the Jinitiator client in Oracle 9i working, without manually redistibuting a new cert file to all clients ... what you end up doing is paying Verisign a few more thousands, for all the servers, to avoid paying the admins tens of thousands, to customize clients, distributions and updates ...
== With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
We issue SSL Certificates with prices a good deal less than hundreds upon hundreds of dollars. Our certificates are issued with a root that already exists in browsers, and we do ID verification (but remain flexible - we will issue certificates to both corporations and natural persons, i.e. people). In terms of keeping the encryption meaningful, using a self-signed certificate doesn't cut it - it makes it trivial for the right person to perform a man-in-the-middle attack.
As much as I'd love to say otherwise, the SSL business is actually quite competitive these days -- the days of a 128-bit certificate costing at least $895 are long gone.
SSL Certificate
Let's suppose you take your PC to a coffee shop and want to read your stock-r-us.com stock portfolio...
...even though there are already PLENTY of free certificate providers out there today, stocks-r-us has to pay big big bucks to one of a few certificate agencies- There's absolutely, positively, no way around this currently, for complex reasons that are hard to explain briefly, but I'll give it a shot...
...or not: This works fine if YOU know how to recognize the stocks-r-us secret handshake, but, for technical reasons, this is only possible if your computer and stocks-r-us have chatted in the past (i.e. you've used your computer before to sheck your stocks) if not, there's no way you can get the jimmy on how to tell a genuine stocks-r-us secret handshake.
...or not: The user of their has to already know the handshake of the CA for this to work ahead of time, or the proverbial "house of cards" will just fall apart anyway... How can they be sure you already have the "secret hanshake" of this third person/CA?
First of all, there are two things, at the minimum, you need to talk to stocks-r-us over the internet securely from a coffee shop:
1. An encrypted communication channel (this is handled by public key and symmetric key encryption protocols)
2. A guarantee that the person you are talking to over the 'net really is stocks-r-us and not an impostor.
All this fancy talk in this slashdot story involves this second step in this process... so how can you get this no-impostor guarantee? Well, the most basic way would be to ask stocks-r-us a secret question only they could answer, sort of like a "secret handshake". An SSL certificate is simply a "secret handshake". (well, not so simply, but just accept this idea for now...) So in order to make sure the company you're talking to over the 'net is your stocks-r-us, you check to see if they know the stocks-r-us secret handshake. Problem solved...
This is where a certificate authority comes in: You can get a third person (whose handshake you do know) to give you stocks-r-us' secret handshake. There are many many organizations that offer free (or not free) services to act as this third person (i.e. as a "CA") So stocks-r-us can just sign up with one of these companies to give them the secret handshake info- Problem solved...
Well, the answer is pretty goofy... the "handshake" of the CA has to be "hardwired" into every copy of Firefox/Internetexplorer/Safari/etc when it is installed. If you go to the settings of your browser, you'll see a list of CAs already placed in by Microsoft/Apple/Mozilla/etc right out of the box! That's the only way this could work...
...so you might be wondering: Don't the CA companies in this initial list of built-in handshakes have some kind of monopoly/oligopoly? The answer, of course, is YES: These special CAs charge monopoly-style prices for their services for this very reason. The point of this slashdot article is that an non-profit group wants to somehow make Microsoft/Apple/Mozilla/etc to put it in this super-duper "handshake" list, but it promises it won't charge everyone big bucks who wants to use them as their third party.
(I'm no expert on this, so any experts are welcome to reply to my post to make any corrections if there are any errors of substance...)
Speaking on behalf of a company forced to purchase a certificate from a recognized issuing authority, I can say that the main issue involved was the need to have the certificate automatically trusted w/o needing to install additional trusted roots. Sure, in a windows domain we can deploy our own root to our clients, but we were looking at problems outside our organization.
1) Exchange RPC over HTTPS - outlook 2003 does have this support, but it won't work if it does not trust the certificate of the server. And if you don't have admin rights, you can't add that trust. Specifically, RPC over HTTP was designed for use outside of the organization, so it does make things harder if you need admin access over a box in a partners organization (it's either that or use OWA, which we all hate in general).
2) Mobile devices and Handhelds. Windows isn't the only system that comes preconfigured with certain trusted root authorities. Mobile devices are a pain in that some of them can't even be configured with additional trusted roots.
3) We experience a significant slowdown when we require our users to temporarily accept certificates for a web session. I'm not sure why myself, actually.
In the end, we just bit the bullet and bought ourselves one from Entrust.
Starbucks, Harbuckle of Breath.
The whole point of certificates is to associate other pieces of information with a private key, like a legal name, an official company name, an address and location, the domain name... the CA isn't just supposed to sign certs that associates those types of information at random, they're supposed to make sure that the information in the certificate they sign reflects the actual entity which holds the private key. Well that's what a CA is supposed to do in theory at least....
If the CA is just signing everything that gets sent to them or simply not including enough identifying information as in your idea then there is no point in the CA's existance... I can't use the certificates they sign to help get an idea of who I'm talking to...
they do nothing. For once, if the government had a CA authority and actually issue SSLs to companies that are registered with them, it would help. When you register for DBA (Doing Business As) or file articles of incorporation, they should be the ones to issue the certificates as they are the most qualified to judge authenticity and do ID checks. Isn't that the reason why we file these things with the government and NOT Verisign?
/ personal/index.html
This is the one place the government DOES need to be a part of, and yet they do not. Government in all the wrong places.... go figures.
Or when people WANT to be verified online, then the government should be the ones issuing the certificates. When a person say they are Joe Smith, which type of ID do you believe more? An ID issued by some company or a government issued driver's license/ID?
The government actually should have a Certification Authority freely (or some nominal fee) available to its citizens.
See, proper government involvement: http://www.hongkongpost.gov.hk/product/ecert/type
SSL is not working with shared hosting.
You need a dedicated server with a separate IP address to realistically use SSL.
Why? With shared hosting, the virtual host is selected based on the Host: header of the HTTP request. But the request is sent over the SSL connection!
So the sequence is:
1. establish secure connection based on certificate (which is attached to sitename)
2. send request over secure connection
But in shared hosting the situation is:
1. connect to shared host
2. decide which site to serve based on hostname sent with request
Unfortunately, those two sequences are conflicting.
We've had free certificates (OCES, SSL, whatever) here in Denmark for years. It's a project initiated by the government and the largest telecom here, TDC.
We can even use it to pay our taxes! Yay!
According to this article on heise.de, StartCom generates the SSL certificate you order on their server, sign it, and send it to you.
How do I know that they don't keep a copy of the cert for their own use? They could impersonate my server any time with this.
"Oh, a lesson in not changing history from Mr I'm-my-own-Grandpa." - Dr Hubert Farnsworth
To answer my own post, after reading thru their site, it apepars that no, they are an unknown root. Chicken-and-egg. Until they get their CA auth in the major browsers, no one will be able to use certs from them for anything the public will be accessing. And until lots of people are using them, they wont be able to get in the browsers.
Also, they don't seem to permit you to provide your own CSR, which as someone else noted somewhat vaguley, is a MAJOR security problem. A cert signer should *never* have access to your private key - you make the key on your system, use it to make a CSR, then they sign the CSR. The resulting signed cert is only then usable if you have both it and the private key.
What nobody realizes is that certificates only actually solve a very small problem. They prove that a person is who they say they are. It's like picking up a hitchhiker because they've shown you their driver's license. The fact that they can prove who the are says nothing about the safety of actually letting the person into your car. Certificates provide a false sense of security, but making people think it's ok to install such-and-such active-x control, because it's signed. It doesn't matter if you can track down the person who created it once your data is all gone. Tracking the person down isn't going to get your data back.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.