Comments on: Two tiered SSL certificates http://www.sethsblog.com/two-tiered-ssl-certificates Facts are meaningless. You could use facts to prove anything that's even remotely true! Fri, 21 Nov 2008 05:15:18 +0000 http://wordpress.org/?v=2.6.3 By: Nick http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3151 Nick Tue, 22 Jul 2008 08:06:45 +0000 http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3151 Seth: "My point is that why should a normal person, not an attacker with a site not be able to use SSL without having a warning in a user’s browser? A free CA that’s pre-installed would work for that just fine." Who decides if you're an attacker or not? Someone has to - and that's the checking part that costs CAs money, which is why they charge. Actually, the product you ask for already exists. It's called a DV (Domain Validated) certificate. The 'checking' is done by verifying your ownership of the domain (usually via emailing a contact from the WHOIS or someone@thedomain.com). As this can be automated, the cost is dramatically less. If you look around, the certs can be had for anything from $50 to $10. Seth:
“My point is that why should a normal person, not an attacker with a site not be able to use SSL without having a warning in a user’s browser? A free CA that’s pre-installed would work for that just fine.”
Who decides if you’re an attacker or not? Someone has to - and that’s the checking part that costs CAs money, which is why they charge.

Actually, the product you ask for already exists. It’s called a DV (Domain Validated) certificate. The ‘checking’ is done by verifying your ownership of the domain (usually via emailing a contact from the WHOIS or someone@thedomain.com). As this can be automated, the cost is dramatically less. If you look around, the certs can be had for anything from $50 to $10.

]]> By: Seth http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3150 Seth Tue, 22 Jul 2008 03:52:02 +0000 http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3150 Nick you fail to see my point. I understand this can be faked. I mistakenly used the wrong example because I realize that it won't solve these sorts problems and don't intend to use this to solve them. My point is that why should a normal person, not an attacker with a site not be able to use SSL without having a warning in a user's browser? A free CA that's pre-installed would work for that just fine. Nick you fail to see my point. I understand this can be faked. I mistakenly used the wrong example because I realize that it won’t solve these sorts problems and don’t intend to use this to solve them.

My point is that why should a normal person, not an attacker with a site not be able to use SSL without having a warning in a user’s browser? A free CA that’s pre-installed would work for that just fine.

]]> By: Nick http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3148 Nick Tue, 22 Jul 2008 00:49:36 +0000 http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3148 Have you heard of a Man In The Middle attack? I run a public wifi hotspot, but proxy all traffic to your bank through my server, which uses a self-signed ssl certificate. You are not warned by your browser, and bank online care free. I now have your credentials, even though everything you sent *was* encrypted. Fail. You pay Verisign to verify that the certificates they issue are only issued to the rightful owner of that domain. Whether or not they actually do that is a different question. Have you heard of a Man In The Middle attack?

I run a public wifi hotspot, but proxy all traffic to your bank through my server, which uses a self-signed ssl certificate. You are not warned by your browser, and bank online care free. I now have your credentials, even though everything you sent *was* encrypted.

Fail.

You pay Verisign to verify that the certificates they issue are only issued to the rightful owner of that domain. Whether or not they actually do that is a different question.

]]> By: Seth http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3147 Seth Mon, 21 Jul 2008 23:29:21 +0000 http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3147 I agree that this is a good solution but unless its supported in most browsers, it's rubbish. Firefox on the Linux desktop is a very tiny portion of the market share who are likely to already be tech saavy enough to not mind the warning anyway. Firefox including a free CA on all builds of their browser is what's needed to take hold. I agree that this is a good solution but unless its supported in most browsers, it’s rubbish.

Firefox on the Linux desktop is a very tiny portion of the market share who are likely to already be tech saavy enough to not mind the warning anyway.

Firefox including a free CA on all builds of their browser is what’s needed to take hold.

]]> By: Holden Karau http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3145 Holden Karau Mon, 21 Jul 2008 22:38:49 +0000 http://www.sethsblog.com/two-tiered-ssl-certificates#comment-3145 There is a free root (known as cacert.org ) I <i>think</i> they might be in some linux distributions firefox, which is well better than self-signed. There is a free root (known as cacert.org ) I think they might be in some linux distributions firefox, which is well better than self-signed.

]]>