[ALUG] Free HTTPS Certificates

Alan Orth alan.orth at gmail.com
Sun Nov 8 20:32:56 EAT 2015


For the record, I signed up for the open beta last week and have
deployed Let's Encrypt certificates on both of my blogs:

- https://mjanja.ch
- https://alaninkenya.org

The Let's Encrypt scripts work great for the record. Their certs are
good for 90 days, so are definitely intended to be automated via cron
jobs or infrastructure automation scripts, etc. I got one report of a
user who couldn't browse the site on his phone, but I think it was a
Windows phone maybe, he didn't respond. It works fine on Linux, Mac,
and Android browsers that I test. :)

Alan

On Sat, Sep 26, 2015 at 7:52 PM, 'Andreas Tauscher' via Arusha
Technical Forum via Linux <linux at lists.habari.co.tz> wrote:
> On 09/26/2015 10:32 AM, brian wrote:
>> Yes it's true.
>>
>> The fact that it's free is not really the point, since you can already
>> get free certificates through startssl.com. They are one of the standard
>> CAs included in browsers. They require you to go through the regular
>> domain validation and CSR process, and the certificates it issues are
>> valid for one year.
>
> Or WoSign. They issue free certificates valid for up to three years and
> you can include up to 100 names in a certificate.
> Disadvantage: The website is only partial in English the most is
> available only in Chinese.
>
> The letsencrypt scripts are working fine. Including the API in own
> applications is not difficult.
>
> My prayer to all browsers and all other software using TLS:
> Implement DANE!
> Up to now AFIAK only postfix 2.11+ has implemented it fully.
> For firefox and chrome a plugin exists but in case of a self signed
> certificate you get the SSL warning page because the plugin can't tell
> the browser that the verification was successfully.
> As long I don't need an EV (extended validation) certificate self signed
> certificates are fine and can be validated.
> Certificates issued by other CAs I can validate including the entire
> certification chain.
> The key pinning headers for https are completely useless. I get the
> header after the connection is established. It is like SPF for mail: One
> of the genius ideas you have after 12 beers.....
> What hiders me to modify this header when I already did a successful
> main in the middle attack with a faked certificate?
> DANE would make this much more difficult. Then I have to compromise also
> your DNSSEC name server.
>
> Andreas
>
> --
> You received this message because you are subscribed to the Google Groups "Arusha Technical Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to arusha-technical-forum+unsubscribe at googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
> _______________________________________________
> The Arusha Linux User Group: http://unix.or.tz
> Linux mailing list
> Linux at lists.habari.co.tz
> http://lists.habari.co.tz/cgi-bin/mailman/listinfo/linux
>
> The Arusha LUG mailing list is generously hosted by Habari Node Ltd: http://www.habari.co.tz/
>
> The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.



-- 
Alan Orth
alan.orth at gmail.com
https://alaninkenya.org
https://mjanja.ch
"In heaven all the interesting people are missing." ―Friedrich Nietzsche
GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0


More information about the Linux mailing list