Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] free SSL certs from the EFF



> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Tom Metro
> 
> We sort of already have this today with StartCom (StartSSL), but they
> have limitations on their free offering. No wildcard certs, and if the
> host name even sounds like a site that might sell things (e-commerce),
> they won't issue a cert.

Huh?  I use them for numerous companies, including e-commerce.  Where'd you hear that?  I'd like to know if it's completely bunk, or if I've been accidentally slipping through the cracks all these years.


> But EFF isn't stopping with merely making the certs free. You still have
> to jump though a few hoops with StartCom, and it sounds like EFF wants
> to add more automation to the issuing process to make it faster/trivial
> to add SSL to a site.

I think when you say you have to jump through a few hoops with startssl, you just mean you have to receive the validation email(s) and either figure out how to generate your own CSR, or trust them to generate the private key for you.  And then you download the cert and install it into apache (or whatever.)  Whereas these guys have the tool that basically automates all that process.  They say it takes 1-3 hours.  For me, it takes about 10 minutes, but maybe I'm just good at it.  They say their goal is 15-30 seconds, which is unrealistic.  Notice they didn't prompt for the name, locality, unit, country, or anything?  Didn't prompt to accept usage terms.  You can't even enter that stuff in 15-30 seconds.  They show people puzzling over openssl commands, not clicking the "generate CSR for me" button on the CA's website.  

Don't get me wrong - it looks cool - but they are overselling it, deceptively.

(Side note)  Historically, I've always thought, you need to generate your own CSR in order to keep your private key private.  But more recently I'm thinking, This is the CA we're talking about.  So what if they have the private key.  If they're going to attack you, you're screwed even if they don't have the private key - because they can perform a validated MITM attack, which is only a little more hassle for them.  (End Side Note)

It looks like the main value they're talking about in that article is the ACME automated process for identity validation (... and automated installation).  I wonder if existing CA's like startssl would be unable to easily adopt a new automated process like that, because of the fact that they're a CA they must stick to their existing documented processes.

I'm also going to say - These EFF guys are a "new CA" which means they're going to face the same problem that startssl faced in terms of adoption.  Sure, everybody including Honest Achmed can become a CA for Mozilla and Apple, which will take effect almost immediately.  And getting into Microsoft might not even be that difficult - But the only way the new CA becomes globally trusted is for all the clients to receive updates afterward, and you know how good people are about updating everything...

The majority of users, on every platform, resist updates.  Wait to see what people say about the new iOS before applying...  Refuse to update OSX because OSX can't get viruses *sic*.  Android, barely ever updated.  Even windows, which IMHO does the best job of nagging the users, very often fails to get updated...

(If you haven't seen it before, read about Honest Achmed:  https://bugzilla.mozilla.org/show_bug.cgi?id=647959
Slightly racist, but not intentionally, and makes a good point.)



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org