[ALUG] Free HTTPS Certificates
'Andreas Tauscher' via Arusha Technical Forum
arusha-technical-forum at googlegroups.com
Sat Sep 26 19:52:46 EAT 2015
On 09/26/2015 10:32 AM, brian wrote:
> Yes it's true.
>
> The fact that it's free is not really the point, since you can already
> get free certificates through startssl.com. They are one of the standard
> CAs included in browsers. They require you to go through the regular
> domain validation and CSR process, and the certificates it issues are
> valid for one year.
Or WoSign. They issue free certificates valid for up to three years and
you can include up to 100 names in a certificate.
Disadvantage: The website is only partial in English the most is
available only in Chinese.
The letsencrypt scripts are working fine. Including the API in own
applications is not difficult.
My prayer to all browsers and all other software using TLS:
Implement DANE!
Up to now AFIAK only postfix 2.11+ has implemented it fully.
For firefox and chrome a plugin exists but in case of a self signed
certificate you get the SSL warning page because the plugin can't tell
the browser that the verification was successfully.
As long I don't need an EV (extended validation) certificate self signed
certificates are fine and can be validated.
Certificates issued by other CAs I can validate including the entire
certification chain.
The key pinning headers for https are completely useless. I get the
header after the connection is established. It is like SPF for mail: One
of the genius ideas you have after 12 beers.....
What hiders me to modify this header when I already did a successful
main in the middle attack with a faked certificate?
DANE would make this much more difficult. Then I have to compromise also
your DNSSEC name server.
Andreas
--
You received this message because you are subscribed to the Google Groups "Arusha Technical Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to arusha-technical-forum+unsubscribe at googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150926/23ab0d8d/attachment.pgp>
More information about the Linux
mailing list