Home page logo
/

nanog logo nanog mailing list archives

Re: SSL Certificates
From: Jeroen Massar <jeroen () unfix org>
Date: Thu, 16 Feb 2012 17:21:33 +0100

On 2012-02-16 17:13 , Christopher Morrow wrote:
On Thu, Feb 16, 2012 at 8:33 AM, John R. Levine <johnl () iecc com> wrote:
I suppose if you buy a SSL certificate,  you should be looking for
your CA to have insurance to reimburse the cost of the certificate
should that happen,   and an ironclad   "refund"  clause in the
agreement/contract  under which a SSL cert is issued


These certs cost $9.00.  You're not going to get much of an insurance policy
at that price.

again, startssl.com - free. why pay? it's (as you say) not actually
buying you anything except random bits anyway... if you can get them
for free, why would you not do that?

Because they do not have a wildcard one for 'free', which is useful when
one wants to serve eg example.com but als www.example.com from the same
location along with other variants of the hostname. Except for that, it
is a rather great offer. Though one can of course just serve the
example.com one and force people after they accept to the main site.

I tend to stick CAcert ones on hosts and tell people to either just
accept that single cert and store it for future checks or just install
the CAcert root cert, that covers a lot of hosts in one go, given of
course that one trusts what CAcert is doing, but that goes for anything.

The method that Firefox is using with the unchained certificates "save
this unverified cert and as long as it is the same it is great" is in
that respect similar to SSH hostkeys, one can verify those offline and
just keep on using them as as long as that cert is the same you are
likely talking to the same host (ssl etc still don't cover compromised
hosts).

In the end, they are just bits, and this whole verification thing at the
verification of owner adds nothing except for an ease-of-use factor for
the non-techy folks on the Internet.

Greets,
 Jeroen


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]