Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT

Free SSL Certificate Project 374

An anonymous reader writes "Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself? Linuxlookup.com is running a small article on free SSL certificates."
This discussion has been archived. No new comments can be posted.

Free SSL Certificate Project

Comments Filter:
  • sweet (Score:2, Interesting)

    by lakerdonald ( 825553 )
    Sweet! I've never liked the idea of forking over money so that your site is deemed secure.
    • by turnstyle ( 588788 ) on Wednesday February 23, 2005 @08:18PM (#11761604) Homepage
      hmm, it seems maybe they should have written about MySQL Connections... ;)
    • Re:sweet (Score:5, Informative)

      by flakac ( 307921 ) on Thursday February 24, 2005 @04:11AM (#11764639)
      If you don't feel like forking over money, download OpenSSL and generate your own certs. Here's a good how-to [pseudonym.org] if you're interested. But if you go this route, your users will either have to install your root certificate into their browser's trusted store (I don't recommend this, but hey, it's your computer), or they'll have to click through an annoying dialog warning that the certificate is not trusted.

      What you're paying for when you buy a certificate is not so much the certificate itself, but for the processes surrounding the issuing of said certificate. When getting a certificate, you must prove to the registration authority that you are who you are, and that you have the legal right to obtain a certificate for your organization. Only after this verification has taken place will you be issued a certificate from a trusted authority. But your users can examine the certificate's chain of trust, and verify who they're talking to. Impossible to do with a self-signed or otherwise untrusted certificate.
  • Well.... (Score:2, Insightful)

    by Tyler Eaves ( 344284 )
    I thought the whole point of SSL is that not just anyone could get a cert...
    • Well.. (Score:5, Insightful)

      by Anonymous Coward on Wednesday February 23, 2005 @08:06PM (#11761497)
      Anyone CAN get one! All you have to do is pay X amount of money.

      Besides, do you really trust people such as Verisign to actively control certs?
    • Re:Well.... (Score:5, Informative)

      by glwtta ( 532858 ) on Wednesday February 23, 2005 @08:11PM (#11761540) Homepage
      How does that make sense? Anyone can get one, the point is that you should be able to match up the certificate to its owner, with some degree of certainty.

      And getting one isn't the issue at all - you can generate as many as you want yourself - it's getting one that means something that's the issue.

    • Re:Well.... (Score:2, Insightful)

      by MyIS ( 834233 )

      I agree. I believe the whole point of Verisign's and others' existence is to make sure that the name/organization that shows up on the cert is actually corresponding to the person they're handing it to. And such verification costs money, or at least should take more than a simple Web form.

      The post on linuxlookup seems like a pretty corny ad for some hosting company anyway. Pfft!

      • Re:Well.... (Score:3, Insightful)

        by cbreaker ( 561297 )
        But it doesn't work like that. When verisign is signing certs for companies that call themselves "Click YES to view this web page!!!" in order to get people to install spyware, then what good is it?

        I think the SSL encryption part itself should be good enough, and all this trusted CA crap just needs to go away.
    • In theory maybe (Score:5, Informative)

      by Chuck Chunder ( 21021 ) on Wednesday February 23, 2005 @08:15PM (#11761578) Journal
      In practice the ID checks that I've seen done are fairly flimsy. And with "hundreds" of dollars being charged by big name certifying authorites there is strong motivation for them to just give you the cert (and take your money) once you've faxed them a couple of vaguely official looking signed bits of paper.

      Anyone paying "hundreds" of bucks for a certificate is being scammed though. Much cheaper ones are available from people like GoDaddy [godaddy.com]. I can't see why anyone wouldn't just go for the $29 one, your users won't notice any difference between them unless they are particularly inquisitive and enjoy poking around obscure browser dialogues.
      • I took great pleasure waving a 'hundreds of bucks' (close to thousand really) certificate around the office as 10 lines on a piece of paper. The people who choked on their coffee didn't know what 'wildcard' meant.
      • Re:In theory maybe (Score:5, Informative)

        by xWakawaka ( 187814 ) on Wednesday February 23, 2005 @09:20PM (#11762033)
        Speaking of theory... let's clarify how this works.

        Generating a certificate/key-pair is trivial. You can do it yourself for free or have a 3rd party do it free or at mild to great expense.

        In theory, a certificate is only useful in verifying the identity of a resource (server authentication of a web server in this case) so long as you trust the issuing authority, and therefore you take it on the issuing authority's word (cert is signed with the authority's private key) that the server at the end of https://companyA.com really belongs to companyA. You trust the issuing authority to have verified this fact for you. That's all server authentication consists of.

        In theory, then, the critical question is 'what certificate authorities do you trust to make that kind of verification on your behalf?'

        In general practice, however, all this boils down to is 'what certificate authorities are shipped as "trusted" on an out of the box install of the dominant platform/browser?' This, of course, includes Verisign, Thawte, and serveral others that have gone through both a PKI practices certification process and what must surely be an expensive business relationship with Microsoft.

        So, as a server administrator, you either pay up for a cert from one of these widely "trusted" authorities, or explain to your users wy they should either import your CA as a trusted root, or otherwise deal with the warning messages that the browser will issue if your cert comes from anyone "untrusted", including yourself.

        And, as has been alluded to, one you are past the server authentication usage of the PKI, the session key exchange for bulk encryption (SSL) can be handled equally well by any technically correct certificate/key-pair, regardless of the trust chain.
    • Anyone can get a certificate, its just that it won't necesseraly be signed by someone thats implicitly trusted by your browser. (or whatever else your ssl-ing).
      Self-signed certificates are definarly not new, you can do this with openssl on linux in about a handfull of commands [redhat.com] or in windows on IIS [xenocafe.com] (using the tool on page 2).
    • by Mr. Underbridge ( 666784 ) on Wednesday February 23, 2005 @08:21PM (#11761620)
      I thought the whole point of SSL is that not just anyone could get a cert...

      Having an internet presence is critical to running a successful business venture. Also, the creation of a truly international digital economy necessitates the development of a trusted method of identity establishment. Especially in these days of questionable computer security and the impossibility of ascertaining identity from IP. Reliable certification is vital to the development of the internet economy.

      However, the centralization of certification among a few organizations and their cost is shutting out smaller enterprises that don't have access to the fees or technology required. In effect, this institutes a kind of "information segregation" or isolationism that has the effect of a barrier to poorer nations - such as Nigeria or Rwanda - to the internet commerce that is so critical to the economy of the future.

      As such, I believe the best scenario is free certification provided by ICANN that can certify pages from poorer nations, so they can compete on an even playing field with the wealthier nations. Giving out free certifications - one per IP address at least - is the best way to accomplish this, and will allow for confident and secure transmission of funds and information.

      • by lukewarmfusion ( 726141 ) on Wednesday February 23, 2005 @08:32PM (#11761689) Homepage Journal
        1. Getting an SSL certificate can require that you fax a copy of your articles of incorporation, public contact information, etc. Someone ends up doing some legwork to ensure that you are who you say you are and that you can be tracked down in the event that there is a complaint.

        2. Virtual hosts often share a single IP among many websites. You can't just authorize a name; SSL requires (from my understanding) a unique IP. That would make the IPv4 system even more strained.

        3. Certification pricing is partly based on trust. Anyone can generate a free certificate. But it won't work with every system because it wasn't created by a "trusted provider."

        If you can't afford a $200US/year fee for conducting "secure" business online, I probably wouldn't want to do business with you anyway.
        • $200 a year my ass...

          $35/year, 99% installed browser base [fsnhosting.com]
        • by XorNand ( 517466 ) on Wednesday February 23, 2005 @09:11PM (#11761982)
          2. Virtual hosts often share a single IP among many websites. You can't just authorize a name; SSL requires (from my understanding) a unique IP. That would make the IPv4 system even more strained.
          SSL doesn't require a unique IP. The problem is that you can't use SSL with host headers, which is the trick that allows multiple websites to resolve to the same IP. Normally HTTP just serves back whatever content is on port 80 when a browser requests a connection. With HTTP/1.1 host headers were introduced which allowed the client to request a specfic hostname at that IP addresses, in effect allowing you to run multiple domains on a single IP address. This is was is incompatible with SSL.
        • by ip_fired ( 730445 ) on Wednesday February 23, 2005 @09:30PM (#11762086) Homepage
          2. Virtual hosts often share a single IP among many websites. You can't just authorize a name; SSL requires (from my understanding) a unique IP. That would make the IPv4 system even more strained.

          This is the case if you want to use the default HTTPS port (443) since the hostname is encrypted. However, you can use your certificate on other ports. Just have your webserver listen to port 4443, and then in your links, just put https://yourhost.com:4443/ and it works great.

          When I was running a small webhost business, instead of getting a new IP for each cert, I'd just put them on different ports.

          Also, the IPv4 system isn't as strained as it used to be. With NAT, and creative netmasks, they have been able to spread out the IPs more efficiently. I wish it *were* more strained, because then they might be forced to actually switch over to IPv6.
          • This is the case if you want to use the default HTTPS port (443) since the hostname is encrypted.

            More to the point, the certificate exchange identifying the server happens before you ever get to send the HTTP headers. You can only serve one SSL certificate on each port.

            The protocol could be extended to support this, e.g.:

            Client: connect SSL
            Server: hi, I'm www.site1.com
            Client: OK, that cert checks out, but I wanted www.site2.com
            Server: OK, here's the www.site2.com cert
            Client: OK

            but it doesn't currently.
        • I work as a sysadmin for an unnamed credit-card processor, and when I first interviewed for the job, one of the things my boss mentioned is that people will look for the Verisign logo. Yes, the same people that don't see the 'Help' link right in front of their faces get antsy if the processing website (i.e. us) doesn't have a verisign logo, regardless of whether the connection is encrypted or not (and it is - even going to our homepage redirects to an HTTPS URL, we encrypt everything).
      • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Wednesday February 23, 2005 @08:52PM (#11761830)
        Having an internet presence is critical to running a successful business venture...creation of a truly international digital economy necessitates the development... Especially in these days of questionable computer security and the impossibility of ascertaining...
        Dude, wash your mouth out with soap, the marketing speak is vile.
      • Which is why I think the post office should get into the SSL cert business.
        • The UK post office had plans a few years back to issue everyone in the UK with a digital signature. Not sure what happened to that idea.

          I would rather see encryption integrated into the DNS network. The root DNS servers are already trusted - their IP addresses are distributed with any DNS cache software. It wouldn't be too hard to also distribute their public key. Each DNS lookup could then request a signature as well as an address. Every time authority was delegated to another server, the SOA recor

        • Actually I think that the banks ought to go into the cert. business, at least for their depositors, and demand client cert.s when establishing secure sessions for online banking. They have an interest in establishing identity and keeping things secure.
    • Re:Well.... (Score:5, Insightful)

      by Best ID Ever! ( 712255 ) on Wednesday February 23, 2005 @08:46PM (#11761791)
      Well, the point of SSL is to encrypt communications. But the point of a signed certificate is to prevent impersonation. If a trusted authority allows anyone to get a certificate for any domain name, then it becomes easy to impersonate someone's site.

      I'm not sure what the point of this is, if the browsers don't have these folks listed as trusted authorities. You can already sign your own certificate and get the same effect. But if you are asking your customers/users to accept a certificate that is not signed by a trusted authority, you are leaving yourself open to being impersonated.
    • Re:Well.... (Score:3, Interesting)

      by vwjeff ( 709903 )
      I thought the whole point of SSL is that not just anyone could get a cert...

      Exactly.

      I would only support a system that had many levels of validation.

      1. You create an account and submit your site.
      2. There would be a required waiting period of 30 days.
      3. You would login to your account and request that your site be reviewed.
      4. You must submit a deposit of $10 which will be returned when your site has been approved. If your site was not approved you must login to your account and request a refund.
      5.
  • erg (Score:3, Insightful)

    by relluf ( 722817 ) on Wednesday February 23, 2005 @08:04PM (#11761479)
    Just explain to your customers why you cert isnt registered.
  • cacert.org (Score:5, Informative)

    by TypoNAM ( 695420 ) on Wednesday February 23, 2005 @08:04PM (#11761480)
    I've always used cacert.org [cacert.org] for free SSL certificate s. :)
    • Re:cacert.org (Score:2, Informative)

      by cookd ( 72933 )
      Or you can roll your own. The only problem is that the cert is signed by you, so your customer's browser can't be certain that you are who you say you are, and will therefore issue a warning to the user.

      For installing a cert on a Windows IIS server:
      Find a recent copy of the makecert tool.
      makecert -r -pe -n "CN=www.yourserver.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
      Then use the IIS management too
    • Re:cacert.org (Score:5, Informative)

      by IchBinEinPenguin ( 589252 ) on Wednesday February 23, 2005 @09:35PM (#11762115)
      This mob will run into the same problems as CaCERT: convincing browser distributeers to include their root certificate.
      (Hello Microsoft, We're a communist OpenSource project trying to educate netizens that they don't have to fork out gazzillions of dollars to big corporations use the Web. Would you mind helping us by including our root certificate with IE? Hello? Did we get cut off?)
      Without that, the cert is not much better than a self-signed one.
      • Re:cacert.org (Score:3, Informative)

        by Trejkaz ( 615352 )

        Let's see... With a CAcert certificate, a user only has to add a certificate to their browser once. With a self-signed certificate, they have to add it to their browser once for every single server, and once again every single time the server changes their certificate.

        I'd say that pays off pretty quickly.

  • Secure certs are one of the biggest ripoffs known to man. The sad fact is that they really only prove that money was able to change hands. This is way, way overdue.
  • by aussie_a ( 778472 ) on Wednesday February 23, 2005 @08:06PM (#11761493) Journal
    Are steak-knives included in the article? Here's a tip for the AC. Don't make your post sound like a cheap advert. This is a news aggregator (well, it claims to be anyway). Articles should have summaries in a manner that most respected news-sources use. Not like some used car salesman. And if this is off-topic. Sorry, but I'm discussing all that I can, the article summary. The site's down so I can't read the article itself.
    • Articles should have summaries in a manner that most respected news-sources use. Not like some used car salesman.

      Say what?! You're new here, aren't you? ;) Slashdot's summaries are almost always deliberately inflammatory and lopsided (anti-DMCA, anti-Microsoft Borgification, pro-Everything For Free Foundation ;), and usually inaccurate. Google for 'site:slashdot.org RTFA!!!'; today's blurb about Australia's regulations on kiddie porn reporting is a perfect case in point. Nothing wrong with that, jus

    • jeez, complaining about unprofessional summaries is fine, but to suggest thhey go and copy the style of news sources!? then we'd end up with the exact same BS, just formatted differently.

      if you want to encourage people to write better summaries you should point them towards abstracts found in peer-reviewed academic journals.
  • Separate (Score:5, Interesting)

    by scrotch ( 605605 ) on Wednesday February 23, 2005 @08:06PM (#11761499)
    It has always seemed strange to me that encryption via SSL and verification of your business identity were rolled into the same system.

    I've had a few situations where I wanted to encrypt html and had no need of guaranteeing my server's identity to anyone. It seems like I should be able to encrypt traffic without having to jump through hoops and spend a lot of cash. Or without having a second class certificate.

    I hope this new project succeeds.
    • Eh?

      You don't need to do anything special -- just set up SSL and issue yourself a certificate.

      Any web browser will warn strongly that the certificate is not issued by a trusted organization, but you said you don't need to prove your identity, so this should perfectly suit your needs.

      • Re:Separate (Score:5, Informative)

        by pchan- ( 118053 ) on Wednesday February 23, 2005 @08:31PM (#11761684) Journal
        Any web browser will warn strongly that the certificate is not issued by a trusted organization, but you said you don't need to prove your identity, so this should perfectly suit your needs.

        You do realize that if you can't prove your identity, your clients are vulnerable to man-in-the-middle attacks, right? How's the browser to know if it's your server they're talking to, or to someone else who signed their own cert and is impersonating you (and proxying its transactions to you, logging or modifying them along the way)? Authority signed certificates give you this ability. Self-signed certificates do not provide complete transport-layer security.

        This is not to say that the signing authority can't be free. It's about time someone did it.
    • Re:Separate (Score:3, Insightful)

      by R.Caley ( 126968 )
      It has always seemed strange to me that encryption via SSL and verification of your business identity were rolled into the same system.

      If you are worried enough to want encryption, then you should be worried about man in the middle attacks. No point telling people their credit card details or email will be encrypted if it just gets sent to a random criminal who can read it, re-encrypt it and send it on to you.

      If users can verify the identity of the far end point some other way, perhaps because they hav

  • So? (Score:5, Insightful)

    by winterdrake ( 823887 ) on Wednesday February 23, 2005 @08:06PM (#11761501)
    Like being able to self-issue a certif is new? Used some random tool that came with MS Office to do it last time I had a use for one, of course that was Office 2K or thereabouts but it's probably still there, and there are probably alot of other ways to self-issue one. The entire point of the big expensive ones is that you have a "trusted" authority validating the transaction.
    • Re:So? (Score:2, Informative)

      by Anonymous Coward
      Straight out of the help file for Office XP

      locate and double-click SelfCert.exe (usually found in the C:\Program Files\Microsoft Office\Office10 folder).
  • Free.. Free.. FREE! (Score:5, Informative)

    by humankind ( 704050 ) on Wednesday February 23, 2005 @08:09PM (#11761523) Journal
    Get OpenSSL [openssl.org] and roll your own, any time, any platform... always been that way... and this is news? Some script-kiddy-turned-public-relations-director figured this out? Good for j00. As for everyone else, nothing to see here that we don't already know.

  • by Anonymous Coward on Wednesday February 23, 2005 @08:09PM (#11761525)
    Since the linked article is dying, who knows if you'll be able to even get the link to the real article. So here's your text, AC to keep the whoring in Vegas.

    StartCom Free SSL Certificate Project

    StartCom Free SSL Certificate Project The Idea:

    Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself?

    StartCom Ltd., the vendor and distributor of StartCom Linux Operating Systems, operates also MediaHost(TM), a hosting company specialized in DB and Java web application hosting and offers its clients SSL secured web sites with certificates signed by StartCom Ltd already for years. Here is, where the idea for this project originated: Free SSL certificates!

    How?

    Most web servers, such as Apache, IIS and others are capable of running the 128-bit secured and encrypted SSL protocol. All you need, in most cases, is a SSL certificate to make it work. StartCom is going to provide you with this certificate through a simple web based interface wizard and sign up process free of charge. Together with the installation instructions, you'll have your secured web site running within a few minutes.

    Why?

    Because we believe, that companies like Verisign, Thawte and others, just rip you off your money! Simply as that! Even the so called "Free SSL certificates" offered by some companies aren't free, but can cost you up to a US $ 100 or even more.

    More than that, lets think about, what SSL is supposed to do: Encrypt and secure the traffic between a browser and the server! Point! It is not supposed to give you the impression, that a website is trustworthy or even say anything about its identity...for this you should use your brain and common sence.* Anybody can get a SSL certificate and as such does not give any type of warranty about the intensions, or quality of products, of the website or its owners! We'll prove here, that SSL certificates can cost much less or may be even free of charge! If enough people are using our certificates and stop buying them, well, than the existence of these companies will vanish and we'll all win another piece of freedom!

    * We'll offer in the future, some sort of verified SSL certificates, but on this later...

    Where, when?

    Convinced? We build and tested this web site during February 2005, so you'll be able to get a SSL certificate for free. Use the links below to get your free certificate now! Please spread the word about this project to your friends (by having a link to our web site?). Contact us, if you want to contribute. And....spend your money on better things! There are enough good causes to support!
  • by cortana ( 588495 ) <sam@robots.orRASPg.uk minus berry> on Wednesday February 23, 2005 @08:09PM (#11761529) Homepage
    More than that, lets think about, what SSL is supposed to do: Encrypt and secure the traffic between a browser and the server! Point! It is not supposed to give you the impression, that a website is trustworthy or even say anything about its identity...for this you should use your brain and common sence.

    Common sense says, make sure the StartCom CA Certificate is not on any of my machines!

    The entire point of using certificates is so that you know that there is a certified binding between a public key and an identity. If you don't know who will recieve your encrypted information then there's no point encrypting it in the first place!

    • If you don't know who will recieve your encrypted information then there's no point encrypting it in the first place!
      Securing the data from interception and tampering is much more important than verifying the identity of the server. How many people click the padlock each and every time they visit a secured site, anyway?
    • by Beryllium Sphere(tm) ( 193358 ) on Wednesday February 23, 2005 @08:43PM (#11761775) Journal
      The entire point of using certificates is so that you know that there is a certified binding between a public key and an identity. If you don't know who will recieve your encrypted information then there's no point encrypting it in the first place!
      Yes, the cheapest and easiest attack against a public-key crypto system is to trick someone into encrypting to the wrong public key. That is the problem that certificates are supposed to solve. Nor is it just a theoretical problem, because already one "Internet marketing" company has been intercepting SSL transactions.

      For a (partial) list of the design and implementation problems that interfere with certificates actually solving the problem, check out Peter Gutman's scathing critique of X.509-based PKI [auckland.ac.nz].

  • comodo.com (Score:5, Informative)

    by Neil Blender ( 555885 ) <neilblender@gmail.com> on Wednesday February 23, 2005 @08:09PM (#11761530)
    $50 per year per certificate. I've had no problems getting them to work with all browsers. Since I can't read the article, are they giving out real authority certs? Ones that your browser won't pop up the window saying it's untrusted?

    If not, here is a recipe for free signed certificates:
    openssl genrsa -des3 -out server.key 1024
    openssl req -new -key server.key -out server.csr
    openssl genrsa -des3 -out ca.key 1024
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt

    ./sign.sh server.csr
  • Self signing (Score:2, Informative)

    by Anonymous Coward

    you can do it yourself if you want, but the user will be prompted with a scary dialog because your self-signed cert doesnt come built into the browser
    for encryption this doesnt matter but on an ecommerce site transparent http>https is essential, if a user becomes accustomed to warning dialogs they will learn to ignore them (witness activeX spyware installs)

    so signing certs is easy, signing non-prompting certs is why people pay the money

  • by Kip Winger ( 547075 ) on Wednesday February 23, 2005 @08:12PM (#11761551) Homepage
    Every tutorial I've seen on the internet with apache + mod_ssl has had tutorials on how to generate your own SSL certificate. Most newbies who have followed those step by step tutorials have even done this, since many regular apache tutorials also include mod_ssl as part of it.

    In fact, even mod_ssl has information on how to do so on the site:

    http://www.modssl.org/docs/2.6/ssl_faq.html#ToC27 [modssl.org]

  • your website is slashdotted?

    Want to run a website with secure connections? Or, want to run a website at all? Then don't publicise it on /. till you are *really* ready for the action!
  • by the talented rmg ( 812831 ) on Wednesday February 23, 2005 @08:13PM (#11761562)
    It's nice to be able to get free stuff online. I've been known to grab my share of free movies and music from time to time myself, but when it comes to things that are so critical to the security of my servers, I'm a little more careful.

    That is not to say that the particular people in the article are crooked -- I'm sure they're on the level. I'm just saying that as this kind of thing becomes popular, you can be sure some computer hackers out there will try to co-opt the good name of services like these so they can give out compromised certificates and steal information from you and your customers.

    The bottom line is: When it's free, you just never know. A thousand eyes only get you so far. This is why I tend to stick to software backed by a solid corporate history on my own production servers. It's just not worth the risk to skimp on costs when the fact is your entire business is on the line there.

    You just have to know who you're dealing with when you get into this kind of thing. Are you dealing with someone honest or are you dealing with some sort of shady basement operation that moved to Canada to avoid cryptography laws? When mission critical information is at stake, this stuff counts.
  • Woweee (Score:5, Informative)

    by TheVidiot ( 549995 ) on Wednesday February 23, 2005 @08:14PM (#11761572) Homepage

    When you finally get to the site that is offering the certs (http://cert.startcom.org/ [startcom.org]) all you find is bad grammar and certs that aren't recognized by any browser (i.e. warnings pop up). It's admirable that the site wants to issue free certificates, but you won't find many surfers willing to trust them. Also, you can create your own certs with minimal effort, and you'll end up with the same thing.

  • Why not just... (Score:3, Interesting)

    by imemyself ( 757318 ) on Wednesday February 23, 2005 @08:14PM (#11761576)
    Personally I think the government would be well suited to do this sort of thing. Maybe provide them when you get a drivers license or a business license. Its not like it takes massive amounts of money to see if you really are who you say you are. And why the expiration dates(well, of course, they're another way to screw people out of $$, but what's the certificate providers excuse/reason for them?)
    • Re:Why not just... (Score:3, Insightful)

      by bigberk ( 547360 )
      I agree with this. Ensuring economic reliability for citizens is the government's job, not the private sector's. There is a major conflict of interest when private companies (e.g. Verisign) are making a business out of selling certificates -- i.e. selling trust. Verisign wants your money; what's their motivation to make sure your paperwork is legit? Verisign regularly accepts forged business reg documents, from what I have heard.

      Let the government issue crypto certificates, I say.
  • Actually, no.

    I ask myself: "How did I get here?" And then I ask myself: "Where is that beautiful house? Where is that beautiful wife?"

  • Ummmm... Why??? (Score:4, Informative)

    by James Wells ( 831750 ) on Wednesday February 23, 2005 @08:24PM (#11761643)
    cacert.org is doing everything these guys are, and then some. cacert.org is free, but with a much higher level of personal confidence than Verisign, Thawt, or any others that I know of.
    Additionally, with cacert.org, you are able to get more than just server certs and keys.
  • SSL server certificates usually only need to assure of one thing: that the owner of the certificate is the same as the person in control of the domain. Everything else really is for the purpose of justifying the salaries of people who work with Certificate Authorities, really
    • right, and you can point people to godaddy's and check the registrant on the domain.

      If it's ShadyCorp Domains in the bahamas, then does not matter whether their cert is from an authority or not.
      Likewise if it's "Tom Trusted" in This Town and You're at tomtrusted.com, then I gather the certificate is up to snuff.
  • by fatboy ( 6851 ) * on Wednesday February 23, 2005 @08:29PM (#11761672)
    Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate?

    WTF is "SSL aware"?

    I have had no problem creating and using self signed certs with SSL.
  • by galvanash ( 631838 ) on Wednesday February 23, 2005 @08:30PM (#11761678)
    Think about this for a minute... The purpose of SSL is not to secure data during transport, it is to secure data during transport AND to verify to the sender that the reciever is who they claim to be.

    Without identity verification there is NO POINT in encryption for most usages.

    The point is to make the person who is submitting their credit card number resonably secure in the knowledge that they are sending it to who they think they are. This cannot happen without identity verification.
  • Blatant ignorance (Score:5, Interesting)

    by QuantumG ( 50515 ) <qg@biodome.org> on Wednesday February 23, 2005 @08:37PM (#11761730) Homepage Journal
    Does anyone even know what a man in the middle attack is anymore? Without certificates (or with easy to aquire certificates) we don't have a way to ensure that someone isn't spying on the encrypted traffic. This service will allow me to register a certificate that looks "just like" the one you expect to get from www.usemycreditcard.com and intercept your confidential details by presenting a key signed with that certificate to your browser. This is already happening with Verisign certificates, a case of them not doing their job, and now StartCom want to make it easier? I guess it doesn't really matter as the vast majority of people are too damn stupid to examine a certificate to ensure it is correct anyways.
  • by wayne ( 1579 ) <wayne@schlitt.net> on Wednesday February 23, 2005 @08:42PM (#11761761) Homepage Journal
    Ok, I've seen lots of posts from people saying that certs are a rip off. Getting a cert from someone means that they trust you enough to accept money from you, and that is about it.

    I've also seen a lots of posts from people saying that you can generate a self-signed cert for free. The problem with these self-signed certs is that you get a pop-up from your browser warning you that the cert isn't trusted.

    It appears to me that cert.startcom.org [startcom.org] is trying to do something different: They are handing out certs with them as the root authority and giving information about how to install their cert as acceptable by your browser. If enough people do this, then major browsers will "have" to start including startcom.org's certs in their distributions. Until that happens, you still get a reduced number of cert pop-ups because many different websites will be using the same "non standard" cert authority.

    You will get all the cheapness of self-signed certs with all the security of a cert from verislime or thawte. After all, the only real security with regular certs is that the traffic between your broswer and the website is encryptied.

    • yes but unless your clients install their root certs they will still get the pop cert warning. Installing their root cert as trusted also compromises you since you have no idea what kind of unscrupulos people they are giving certs to. The trust is not in the certificate, but who is signing the certificate. If I trust verisign, then I trust anyone verisign trusts. Do you trust anyone startcom.org trusts?
  • It's about trust (Score:4, Informative)

    by js3 ( 319268 ) on Wednesday February 23, 2005 @08:49PM (#11761812)
    Anyone can make a certificate, hell you can make one yourself. The whole point of a issuing certificates is about delegating trust. Verisign, Thawte, etc are trusted. Some company that gives it out for free without any sort of checking is not.
    • Re:It's about trust (Score:4, Interesting)

      by Sloppy ( 14984 ) * on Wednesday February 23, 2005 @09:37PM (#11762122) Homepage Journal
      Verisign, Thawte, etc are trusted. Some company that gives it out for free without any sort of checking is not.
      The catch is that they aren't really trusted, or more importantly, trustable. What do you know about Verisign's internal security procedures? Do you have any idea how well they check people's ids? How many people have access to their signing key?

      Unless you work there, Verisign is just a faceless enigma. You know more about your father's brother's nephew's cousin's former roommate, than you know about Verisign.

      If a cert is signed only by Verisign (and the nature of X.509 certs is that they only have one CA) then you have to decide to either trust it completely, or trust it not at all. And if, like 99.999999% of the population, you simply have no clue as to whether or not Verisign can be trusted, best practices are to assume the worst, and the certs are effectively meaningless, whether they are signed by Verisign or by some kid in his basement.

      As it turns out, there's a better way: PGP. PGP uids can be signed by multiple entities, so if you have a clue about some signers and no clue about others, you can throw out the info that means nothing to you, and still take advantage of the info which has meaning. And even for the signatures that you're uncertain about, if you're willing to quantify how uncertain you are, then you can multiply uncertainties, based on the idea that conspiracies are hard to pull off.

      The only problem with PGP, is that use of it in concert with secure connections, hasn't really caught on. But surprisingly, the idea isn't unheard of or completely dead, either. If people ever start to take internet security really seriously, there are projects like GnuTLS [gnu.org]. It's a long way off from the mainstream, but just about everything we take for granted these days, was like that at one time. :-)

      • Re:It's about trust (Score:3, Interesting)

        by storem ( 117912 )
        Thawte and CAcert have a Web Of Trust (WOT) to deal with the trust issue. I'm a notary myself for both Thawte and CAcert and an ID of a person is not trsuted until mutiple! notaries have physically verified a person with photo ID. I take my notary job very seriously, and I think all notaries do.
      • Re:It's about trust (Score:5, Interesting)

        by jrumney ( 197329 ) on Thursday February 24, 2005 @07:30AM (#11765226)
        The catch is that they aren't really trusted, or more importantly, trustable. What do you know about Verisign's internal security procedures?

        CA's are supposed to make their issuing policies publically available. One day a few years ago when I had too much time on my hands I went through and checked them all. Of the 100 odd root certificates that were originally installed in my browser, I threw out about half for not having their policy publically available in human readable form. I threw out most of the rest (including Verisign and Thawte's low-end certs) because their policy was too lax, but maybe I just have high standards.

  • DomainKeys (Score:5, Interesting)

    by Anonymous Coward on Wednesday February 23, 2005 @08:53PM (#11761836)
    I liked the idea behind Domain Keys:
    Domain Keys [yahoo.com]

    You post your public key in your DNS record. DNS already maintains an identity system.

    The trick with DK is to get the browser's to fetch the site's public key from the DNS record (it has to do the DNS query anyway) and use that in the handshaking.

    Yes, there is the potential for someone to hijack the site, but that is getting more difficult. And, DK would be a free add-on to the DNS stuff you have to do anyway.

  • by bigtangringo ( 800328 ) on Wednesday February 23, 2005 @09:11PM (#11761985) Homepage
    ...If you are doing it for an OpenSource project:
    https://www.godaddy.com/gdshop/ssl/ssl_o pensource. asp

    Not to mention, it's the cheapest SSL cert I know of at $30/year.
  • by freelock ( 755655 ) on Wednesday February 23, 2005 @09:26PM (#11762056)
    Many fine, relevant comments have already been made in this thread. But I didn't see anyone point out the downside of free SSL certificates: free phishing sites!

    Yes, it's possible to freely self-sign certificates to get encryption. I run my own certificate authority for encrypting traffic among my clients, if they aren't conducting e-commerce. These self-signed certificates work fine without triggering a browser warning--if you import the certificate authority certificate.

    For my public/e-commerce sites, I use FreeSSL, at $35/year. This buys me a blessing from a CA that is pre-installed in over 95% of all browsers in use. What's not covered? Konqueror. Curl. I think Safari, though I haven't checked recently. For my clients who want those to work, I suggest spending the ~$120 or so for a Geotrust cert.

    Now, imagine if every spammer in the world could get an SSL certificate for free... Already domains are cheap enough that they can set them up to easily spoof real web sites--banks, etc. Imagine if every one of those had an SSL certificate, and didn't trigger a browser warning? Most people I know look for the lock. If the lock is there, they trust the site. They don't actually look at the certificate, or even the URL much.

    For this reason alone, I'm glad certs aren't free. You can do encryption for free, but I'd prefer my browser to at least let me know the site I'm visiting is too cheap to buy a real cert. (that's not meant as a slam, since I'm too cheap to buy one for most of my sites...).

    Cheers,
    Freelock Computing [freelock.com]
  • by ddent ( 166525 ) on Wednesday February 23, 2005 @10:05PM (#11762280) Homepage
    We issue SSL Certificates [omegasphere.net] with prices a good deal less than hundreds upon hundreds of dollars. Our certificates are issued with a root that already exists in browsers, and we do ID verification (but remain flexible - we will issue certificates to both corporations and natural persons, i.e. people). In terms of keeping the encryption meaningful, using a self-signed certificate doesn't cut it - it makes it trivial for the right person to perform a man-in-the-middle attack.

    As much as I'd love to say otherwise, the SSL business is actually quite competitive these days -- the days of a 128-bit certificate costing at least $895 are long gone.
  • Let's suppose you take your PC to a coffee shop and want to read your stock-r-us.com stock portfolio...

    ...even though there are already PLENTY of free certificate providers out there today, stocks-r-us has to pay big big bucks to one of a few certificate agencies- There's absolutely, positively, no way around this currently, for complex reasons that are hard to explain briefly, but I'll give it a shot...

    First of all, there are two things, at the minimum, you need to talk to stocks-r-us over the internet securely from a coffee shop:

    1. An encrypted communication channel (this is handled by public key and symmetric key encryption protocols)
    2. A guarantee that the person you are talking to over the 'net really is stocks-r-us and not an impostor.

    All this fancy talk in this slashdot story involves this second step in this process... so how can you get this no-impostor guarantee? Well, the most basic way would be to ask stocks-r-us a secret question only they could answer, sort of like a "secret handshake". An SSL certificate is simply a "secret handshake". (well, not so simply, but just accept this idea for now...) So in order to make sure the company you're talking to over the 'net is your stocks-r-us, you check to see if they know the stocks-r-us secret handshake. Problem solved...

    ...or not: This works fine if YOU know how to recognize the stocks-r-us secret handshake, but, for technical reasons, this is only possible if your computer and stocks-r-us have chatted in the past (i.e. you've used your computer before to sheck your stocks) if not, there's no way you can get the jimmy on how to tell a genuine stocks-r-us secret handshake.

    This is where a certificate authority comes in: You can get a third person (whose handshake you do know) to give you stocks-r-us' secret handshake. There are many many organizations that offer free (or not free) services to act as this third person (i.e. as a "CA") So stocks-r-us can just sign up with one of these companies to give them the secret handshake info- Problem solved...

    ...or not: The user of their has to already know the handshake of the CA for this to work ahead of time, or the proverbial "house of cards" will just fall apart anyway... How can they be sure you already have the "secret hanshake" of this third person/CA?

    Well, the answer is pretty goofy... the "handshake" of the CA has to be "hardwired" into every copy of Firefox/Internetexplorer/Safari/etc when it is installed. If you go to the settings of your browser, you'll see a list of CAs already placed in by Microsoft/Apple/Mozilla/etc right out of the box! That's the only way this could work...

    ...so you might be wondering: Don't the CA companies in this initial list of built-in handshakes have some kind of monopoly/oligopoly? The answer, of course, is YES: These special CAs charge monopoly-style prices for their services for this very reason. The point of this slashdot article is that an non-profit group wants to somehow make Microsoft/Apple/Mozilla/etc to put it in this super-duper "handshake" list, but it promises it won't charge everyone big bucks who wants to use them as their third party.

    (I'm no expert on this, so any experts are welcome to reply to my post to make any corrections if there are any errors of substance...)
  • by mikrorechner ( 621077 ) on Thursday February 24, 2005 @04:07AM (#11764625)
    According to this article [heise.de] on heise.de, StartCom generates the SSL certificate you order on their server, sign it, and send it to you.

    How do I know that they don't keep a copy of the cert for their own use? They could impersonate my server any time with this.
  • by CastrTroy ( 595695 ) on Thursday February 24, 2005 @08:44AM (#11765615)
    What nobody realizes is that certificates only actually solve a very small problem. They prove that a person is who they say they are. It's like picking up a hitchhiker because they've shown you their driver's license. The fact that they can prove who the are says nothing about the safety of actually letting the person into your car. Certificates provide a false sense of security, but making people think it's ok to install such-and-such active-x control, because it's signed. It doesn't matter if you can track down the person who created it once your data is all gone. Tracking the person down isn't going to get your data back.

No spitting on the Bus! Thank you, The Mgt.

Working...