Author

Topic: Free SSL certificates (Read 4671 times)

member
Activity: 69
Merit: 10
April 28, 2011, 01:57:13 PM
#18
I can see why many would suggest getting a root CA to issue your websites certification because to the average user it looks much more legitimate and secure.  However, there are major problems with the CA system and that is why I think people create their own certificates.  I am still learning about these issues but I found this podcast to be very helpful: http://agoristradio.com/?p=255

That being said, does anyone know if there is a Bitcoin CA Certificate floating around out there?  Or is there a signed gpg certificate that I could use with monkeysphere?
hero member
Activity: 540
Merit: 500
April 28, 2011, 09:50:14 AM
#17
Not really usefull for you, but for other people, go to this web page and click on "Root Certificate (PEM Format)". Firefox will propose you to add the certificate, check "allow for web site" (or somethin like that). That's all Smiley
=> http://www.cacert.org/index.php?id=3


ps : it works without this on Debian and iceweasel (custom debian firefox).
hero member
Activity: 644
Merit: 503
April 23, 2011, 11:27:15 AM
#16
Indeed, CaCert certificate is not added everywhere (but they should be in your ubuntu (/etc/ssl/certs/cacert.org.pem), so Chromium use their own embed certificates).
Yeah, I'd checked /etc/ssl/certs and seen cacerts so I assumed it was "just" a Chromium issue. However... I've just tried in Firefox and that's exhibiting the same behaviour.

I stress that this isn't a problem for me - I understand what's going on, and if I was so inclined I could fix it. Rather, it's a problem for non-technical users. For that reason I'd prefer Vladimir's approach to the cacert approach - at least for now, until browsers/distros catch up.
hero member
Activity: 540
Merit: 500
April 23, 2011, 11:19:42 AM
#15
Indeed, CaCert certificate is not added everywhere (but they should be in your ubuntu (/etc/ssl/certs/cacert.org.pem), so Chromium use their own embed certificates).
hero member
Activity: 644
Merit: 503
April 23, 2011, 07:23:48 AM
#14
Or register on CaCert : https://www.cacert.org/
I get an SSL error with cacert: both their own site and bitcoin-contact.org. This is on Chrome[ium] and Ubuntu. I realise there are ways round this, but as I understand it Vladimir's process avoids this entirely.
legendary
Activity: 1658
Merit: 1001
April 23, 2011, 07:07:36 AM
#13
I'm a happy user of the perspectives system, works like a charm, although I think there should be many more notaries.
hero member
Activity: 540
Merit: 500
April 23, 2011, 07:02:34 AM
#12
Or register on CaCert : https://www.cacert.org/
member
Activity: 120
Merit: 10
yes.
February 24, 2011, 08:26:52 AM
#11
thanks for the tip vladimir.

sent my whole bitcoin balance over to you right now Cheesy
hero member
Activity: 588
Merit: 500
February 22, 2011, 02:50:56 PM
#10
So, sites have no requirement in signing their new certificates with their old ones then... if a site changes a certificate about to expire, the extension will have no way to determine whether it's an authentic change or not, right?

No, there's no way to be 100% sure that the change is authentic. The addon does tell you that the old certificate was about to expire, which is the most common case for replacing a certificate.

The Certificate Patrol web site is full of more good info, including a link to an appliance which automates MITM attacks for "law enforcement".
legendary
Activity: 1106
Merit: 1004
February 22, 2011, 02:45:49 PM
#9
Thank you for pointing me to this extension. I really thought that was a default behavior of all SSL clients.

So, sites have no requirement in signing their new certificates with their old ones then... if a site changes a certificate about to expire, the extension will have no way to determine whether it's an authentic change or not, right?
administrator
Activity: 5222
Merit: 13032
February 22, 2011, 02:26:10 PM
#8
I also use Certificate Patrol, and I removed many CAs from my certificate store. (Firefox does some buggy things after you remove CAs, though.) I wish the whole system would be replaced. The best idea I've heard is to store the cert in DNS; once DNSSEC is enabled, this will be pretty secure.
hero member
Activity: 588
Merit: 500
February 22, 2011, 02:19:12 PM
#7
By the way, I thought browsers would display a warning if suddenly the certificate for the site I'm used to visit changed...

Unfortunately they do not. I use the Certificate Patrol Firefox addon to tell me when a site's certificate changes.
legendary
Activity: 1106
Merit: 1004
February 22, 2011, 02:11:20 PM
#6
When the government really wants to intercept SSL, what they do is they get a certificate provider to issue them a certificate in the domain's name, and then they just perform a man-in-the-middle attack, decrypting the traffic and re-encrypting it on its way to the destination.  (Note, they can't decrypt the traffic mid-stream - BUT with a forged cert they could put up a fake server, get you to connect to it, and that's what I'm referring to here)

The EFF says, there are enough SSL CA providers out there that the government doesn't need to wring yours - they only need one to sell out and issue a cert.

Damn... is there evidence that this has ever happened before?

By the way, I thought browsers would display a warning if suddenly the certificate for the site I'm used to visit changed...
vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
February 22, 2011, 12:44:11 PM
#5
As far as I know with a self signed cert it should be impossible for a government to snoop.Or at least much more difficult.
If a government is prepared to seize a certificate from the signing company, why wouldn't they just demand root access from the server's host?
[/quote]

According to the talk given at DefCon 18 titled "An Observatory for the SSLiverse" given by an EFF staffer:

When the government really wants to intercept SSL, what they do is they get a certificate provider to issue them a certificate in the domain's name, and then they just perform a man-in-the-middle attack, decrypting the traffic and re-encrypting it on its way to the destination.  (Note, they can't decrypt the traffic mid-stream - BUT with a forged cert they could put up a fake server, get you to connect to it, and that's what I'm referring to here)

The EFF says, there are enough SSL CA providers out there that the government doesn't need to wring yours - they only need one to sell out and issue a cert.

Regardless, a self-signed certificate doesn't protect against this, except perhaps unless users remove all the built-in trusted certificates from their web browser, and then install the self-signed cert as the only trusted root (pretty unlikely anybody is going to do this, since they'll get SSL errors all over the entire internet).

vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
February 22, 2011, 12:32:55 PM
#4
It also allows the signing company to give certificate details to a government agency so that they can snoop on encrypted communications.

As far as I know with a self signed cert it should be impossible for a government to snoop.Or at least much more difficult.

That is not how SSL works.

When you request an SSL certificate, YOU generate the keypair on your own computer (web server).  They only sign the public key, they never get the private key.  All major web server software works this way.  So, it is impossible for them to divulge anything to the government.
newbie
Activity: 55
Merit: 0
February 22, 2011, 12:09:22 PM
#3
It also allows the signing company to give certificate details to a government agency so that they can snoop on encrypted communications.

As far as I know with a self signed cert it should be impossible for a government to snoop.Or at least much more difficult.
If a government is prepared to seize a certificate from the signing company, why wouldn't they just demand root access from the server's host?
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
February 22, 2011, 11:56:01 AM
#2
It also allows the signing company to give certificate details to a government agency so that they can snoop on encrypted communications.

As far as I know with a self signed cert it should be impossible for a government to snoop.Or at least much more difficult.
newbie
Activity: 55
Merit: 0
February 22, 2011, 11:02:18 AM
#1
Those of you running sites with self-signed certs should look into https://www.startssl.com/. Free SSL certificates valid for 1 year, renewable every year without charge.

They aren't accepted by mobile devices, but Windows, Mac OS X, and Firefox and Opera accept them, so it's far better than throwing an ugly security warning from a self-signed cert.
(IE, Safari, and Chrome use the OS' certificates)

See also https://secure.wikimedia.org/wikipedia/en/wiki/StartCom
Jump to: