SSL Certificates

Jeroen Massar jeroen at unfix.org
Thu Feb 16 10:21:33 CST 2012


On 2012-02-16 17:13 , Christopher Morrow wrote:
> On Thu, Feb 16, 2012 at 8:33 AM, John R. Levine <johnl at iecc.com> wrote:
>>> I suppose if you buy a SSL certificate,  you should be looking for
>>> your CA to have insurance to reimburse the cost of the certificate
>>> should that happen,   and an ironclad   "refund"  clause in the
>>> agreement/contract  under which a SSL cert is issued
>>
>>
>> These certs cost $9.00.  You're not going to get much of an insurance policy
>> at that price.
> 
> again, startssl.com - free. why pay? it's (as you say) not actually
> buying you anything except random bits anyway... if you can get them
> for free, why would you not do that?

Because they do not have a wildcard one for 'free', which is useful when
one wants to serve eg example.com but als www.example.com from the same
location along with other variants of the hostname. Except for that, it
is a rather great offer. Though one can of course just serve the
example.com one and force people after they accept to the main site.

I tend to stick CAcert ones on hosts and tell people to either just
accept that single cert and store it for future checks or just install
the CAcert root cert, that covers a lot of hosts in one go, given of
course that one trusts what CAcert is doing, but that goes for anything.

The method that Firefox is using with the unchained certificates "save
this unverified cert and as long as it is the same it is great" is in
that respect similar to SSH hostkeys, one can verify those offline and
just keep on using them as as long as that cert is the same you are
likely talking to the same host (ssl etc still don't cover compromised
hosts).

In the end, they are just bits, and this whole verification thing at the
verification of owner adds nothing except for an ease-of-use factor for
the non-techy folks on the Internet.

Greets,
 Jeroen



More information about the NANOG mailing list