Slashdot Mirror
Choosing an SSL CA?
zentigger asks: "I am looking at renewing some SSL certificates and checking out the various vendors. I seems that just about every major CA has some reason for not using them. Verisign is just evil, Thawte is owned by Verisign, Geocerts has a bad habit of spamming, and Godaddy uses a stupid chained cert that doesn't work for some appliances we have (and they won't let me check out using Firefox). I realize that I could just use a self-signed certificate, but we have too many stupid users that get all confused and whiny when something pops up and asks them unexpected questions. So I put it to you, Slashdot: what CAs do you recommend and why?"
Verisign is the choice since they are the most well known.
Simple, if you customers can't shop on your site because there is some problem with the SSL, they will simply go somewhere else. They won't care about Verisign being evil, they won't care how doing business with them is wrong, they won't care what excuses you could give them. They simply will go somewhere else.
You are in the business of selling, not in the business of being moral and trying to explain it to someone else who may not agree with you. Most non-computer geeks types could give a fuck less on why you think Verisign is evil.
Linux O Muerte!
Of course, SSL does not prevent and was never intended to prevent spamming and phishing; it foils sniffing (which generally doesn't happen anyway).
That is probably because it wasn't really a question, more sort of a flame against the idea of Certificate Authorities with some unoriginal gratuitous insults thrown in.
Without knowing what he wants to do with the certificate it is impossible to answer the question. If he just wants to connect up to his POP3 server via SSL then self signed is fine. If on the other hand he is setting up the online banking service for a money center bank he probably wants something that offers a somewhat higher degree of assurance.
Until recently there has been no differentiation as far as the user is concerned. That changes with Extended Validation in IE7 and the comming versions of firefox
The point of a certificate is that it should say who you are. If this does not matter in your application fine. If it does matter then get a cert that provides the necessary level of assurance for your app.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Wasn't this article previously posted weeks ago? Same answer as then: forget the CA, sign it yourself and make the required user ok of the resulting certificate part of the documented process for accessing your content. The CA system as implemented is just a bit of high tech profiteering. As far back as the 90s they were charging outrageous repeating fees -- and not really doing anything for the money, as the cases of CAs issued to fraudulent companies proved.
One thing that I forgot to say in my previous post... there is NO way that a MITM can break the SSL connection once it has been created. So a phisher would need to recreate the entire web presence in a capture site, and be sure that the mark can only reach his site. In Real Life (TM) a MITM is very rare, and if your data is that important the someone would crack a router and examine it's traffic to gain the connection in real time, you really, really should be using private key encryption, or at least a self-signed cert.
The grass is only greener, if you don't take care of your own lawn.