Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Who sells the least expensive SSL certs right now?



I think you're missing the point. More quotes from the bugzilla discussion:


> The problem is not them charging for revocations. If someone has lost
their key
> or got hacked, okay fine. Their own fault.
>
> The problem is that thanks to Heartbleed we now have potentially leaked
private
> keys (leaked due to circumstances outside of the control of anyone) and
thus
> insecure sites.
>
> Now with StartSSL charging for every single revoked certificate they are
> encouraging people to "eh, the chance my key got leaked is so low, I'll
just stay
> with my old certificate" thinking and behaviour.
>
> This is actively compromising the security of SSL and consumers (no one I
know
> checks the SSL vendor on certificates of sites they visit if there's the
lock icon and
> it says it is trustworthy). Therefor customers and site users expose
themselves to
> potential security risks while the browser ensures them they are
communicating
> securely with the website.


and another:

> Spreading **** certificates all over the place for free and then forcing
people to
> pay for the revocation of those certificates is certainly not doing any
good for
> security. I can't see any reason why startssl.com should be in the
truststore while
> cacert.org (which do not charge for revocation nor for anything else) are
denied
> the same status.


Now granted, these arguments are about whether slartssl should be in the
firefox keystore,
not about whether Bill should consider using startssl's free tier. But I
disagree that the
arguments are weak.


On Mon, Dec 22, 2014 at 10:55 AM, Edward Ned Harvey (blu) <blu at nedharvey.com>
wrote:
>
> > From: John Abreau [mailto:abreauj at gmail.com]
> >
> > As for StartSSL, a quick google search turns up some disturbing issues
with it.
>
> Bah.  That's a weak argument.  There is nothing secret about charging for
revocation, and I don't expect any other CA's to reissue certs for free
either.




--
John Abreau / Executive Director, Boston Linux & Unix
Email: abreauj at gmail.com / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org