Weblog entry #209 for Steve

New SSL certificate
Posted by Steve on Mon 29 Jun 2009 at 19:03
Tags: , ,

I've just been informed that the SSL certificate on this site had expired - so I've regenerated another one.

The certificate is still self-signed because nobody is throwing money at me, and I in turn don't want to throw money at verisign ;)

You can verify the fingerprint by following these instructions:

 

Comments on this Entry

Posted by Anonymous (84.245.xx.xx) on Mon 29 Jun 2009 at 19:46
In that case, please consider using a cacert.org certificate, which is free.

[ Parent | Reply to this comment ]

Posted by Steve (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Mon 29 Jun 2009 at 19:49
[ View Steve's Scratchpad | View Weblogs ]

Unless or until they are trusted by a wide range of browsers CACert.org offers no appreciable benefit over the self-signed certificate in place here.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (87.177.xx.xx) on Mon 29 Jun 2009 at 20:53
Yes it does offer a benefit.
First the CAcert root certificates is included in some browsers by default.
Second some people (especially potential visitors of this site) have added root certificates manually to their browser, so that all certs signed by them are trusted. Thats better than having to check and verify each cert separately because they are all self signed...

At work we dont use certificates signed by verisign or other bandits either, but still all certs are signed by a CA. That way users only have to add and trust one single cert, and not dozens of each and every service.

[ Parent | Reply to this comment ]

Posted by Anonymous (24.130.xx.xx) on Sun 5 Jul 2009 at 00:36
IMO you are making a grave usability mistake here. Do not confuse convenience with security; sometimes security improves convenience but sometime convenience leads people to make bad security decisions. By having the CACert root trusted by default you ensure that no one thinks twice about submitting sensitive information - that's bad design. BTW Does mozilla include the CACert root by default? How about Microsoft? Opera? Google? Think all those folks are in bed with all the commercial CAs? With all due respect to the kind folks at CACert... it takes effort to do authentication and while some commercial CAs are lame and should not be in any one's trusted root list that doesn't justify adding to the problem IMO.
cheers

[ Parent | Reply to this comment ]

Posted by Anonymous (217.91.xx.xx) on Tue 7 Jul 2009 at 08:36
How does using certificate authorities, regardless if its Cacert or anything else, trade security for convenience? IMHO the opposite is true: The major reason why *self signed* certificates are used is convenience, its just much easier than using a CA.
Both PKI and WOT rely on signing other certificates for authentication, and not having lots of totally unrelated certificates, each of them signed by itself. How should a user verify the authenticity of the websites he visits in such a world? By manually comparing the fingerprint of every certificate he stumbles upon? Hardly anyone is going to do this, either you blindly click OK or your webbrowser makes you to jump through so many loops to accept an unknown certificate, that you eventually give up completely and visit the website over HTTP without any authentication or encryption.
And by the way, https:/my.site is not a very trustworthy place to publish the fingerprint of the certificate for https:/my.site, thinking of MITM attacks, but you can hardly find a better solution for self-signed certificates... They are convenient, but not secure.

And about the browser vendors: Yes I do think that they are in bed with commercial CAs. To be included in the default certificate list you usually need to undergo an audit, performed by a third party company named by the browser vendor. This auditor then charges a lot of money for his "service", so the equotation is like: You don't have a lot of money, you are not trustworthy.
Or when you look at the freshly introduced EV certificates: No one would pay even more money than for a normal certificate, just to have some additional fields added to it. But because the EV certificates are displayed so prominently in browsers, it gives commercial CAs the possibility to actually sell them at much higher prices. And I bet in some years, the browser vendors will deprecate normal certificates in one way or the other. Already with Firefox 3.0 a site using a non-EV certificate only had the background of its favicon colored blue. Besides the "https" at the beginning of the URL, this is the only sign that youre on a secure site. Of course a favicon with a blue background can be used everywhere, so to show your visitors a really visible sign you already have to buy an EV certificate now.

[ Parent | Reply to this comment ]

Posted by ramam (24.6.xx.xx) on Fri 24 Jul 2009 at 04:13
So you believe the good people at Mozilla are corrupt and the kind folks at Mozilla Security are idiots? C'mon you can't be that angry. I'll spare you the metaphysical lecture about imperfections in reality.

The short version is that there are very few viable approaches to introductions and they all compromise on something. You more or less have to trade off between price, quality and convenience. A few things to mull:
- If a server cert is trusted the first time it is seen you might as well not use certs; on the other hand do you really want to visit your bank 100 times over 2 years before you trust the site enough to log in? You can address this with WOT but those are corruptible do (make it worth a million dollars and it will dwarf SPAM as a problem)
-If a CA cert signs a cert that needs to be revoked they need to be able to distribute revocation information. CRLs work for CAs that don't sign much but they suck for CAs that are used a lot so you need OCSP. The other day VeriSign PR announced one billion OCSP transactions a day serviced. I bet that hurts their bottom line but it definitely adds security value.
- If a CA issues certs to any one who asks (ie with-out performing effective checks first) they will surely make a lot of mistakes and that will make it easy to corrupt the process rendering their certs useless
- If a CA is trusted without some sort of third party audit then you might as well not use certs since this becomes the weak point.

I hope my response is illustrative - it is by no means complete but should help paint the picture. There has been tons and tons of discussion on this topic over on the Mozilla security newsgroups among other places; if you really want to bone up a bit head on over there and read some of the meaty stuff.
kindly

[ Parent | Reply to this comment ]

Posted by rjc (85.12.xx.xx) on Tue 7 Jul 2009 at 09:09
CACert root certificate is included in Debian by default. If Debian can trust them to include it in the distro, so can I. Besides, this is a site created by Debian users for Debian users, isn't it?

rjc

[ Parent | Reply to this comment ]

Posted by Anonymous (24.6.xx.xx) on Fri 24 Jul 2009 at 00:56
Err - giving out copies of a root (or any) certificate [ie file] is no biggie - actually a good idea if you use it right. - and to be clear Debian no more trusts the CACert root than they trust `cat favorite_3rd_party_package_name`.

My comment was more related to the idea of configuring it as trusted out of the box [which no one does, not Debian, not other FSF stuff, nothing Mozilla related, etc]... which would be a mistake both from a security-risk perspective and also a liability-risk perspective; I was addressing the former risk.
kindly,
ram

[ Parent | Reply to this comment ]

Posted by Anonymous (24.130.xx.xx) on Sun 5 Jul 2009 at 00:40
By the by the folks running CACert have *withdrawn* their request for inclusion in mozilla temporarily.

https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c158

[ Parent | Reply to this comment ]

Posted by Anonymous (71.201.xx.xx) on Sun 21 Aug 2011 at 01:45
You could try a certificate from StartSSL.

[ Parent | Reply to this comment ]

Posted by mario (201.208.xx.xx) on Mon 7 May 2012 at 03:31
[ View Weblogs ]
Signed till 3/2012, did it expire?

[ Parent | Reply to this comment ]

Posted by Steve (90.220.xx.xx) on Mon 7 May 2012 at 06:53
[ View Steve's Scratchpad | View Weblogs ]

Yes it did, and I've regenerated it now. Thanks.

The verification page has been updated.

Steve

[ Parent | Reply to this comment ]

Posted by Lennie (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Sat 25 Aug 2012 at 15:17
You SSL certificate has expired again.

If you don't want to spend any money on it (which I fully understand !).

I suggest using StartSSL this time, you'll even get a reminder email before it expires.

[ Parent | Reply to this comment ]

Posted by Steve (90.193.xx.xx) on Sat 25 Aug 2012 at 15:28
[ View Steve's Scratchpad | View Weblogs ]

I've updated the certificate, and the verification page.

I've not really changed my opinion on startssl over the last year, so I've left it as-is. But I will be more careful about reminding myself about expiration in the future.

Steve

[ Parent | Reply to this comment ]

Posted by Lennie (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Sat 25 Aug 2012 at 15:43
I wasn't aware about your opinion on StartSSL (still do not know what it is).

Anyway I've added it to Firefox servers-tab for now.

Judging by how long it took for someone to report it, I doubt it is a big issue anyway ;-)

[ Parent | Reply to this comment ]