Suggestions for SSL cert?



  • My personal domain is using a self-signed SSL certificate. Are there any reasonably-cheap (or preferably free) providers out there for me to get a "real" cert that doesn't cause web browsers to tell everyone I'm an evil phishing hacker? I'd need a cert that supports subdomains too.



  • Anyone used StartSSL? They have a $60 for 2-years package that looks acceptable, if it's widely-supported by common browsers.

    And in case it matters, my web server is now NGINX which reverse-proxies to internal VMs based on the requested subdomain.


  • sockdevs

    i use Digicert, not the cheapest by a long shot but they have an excellent trust reputation.

    StartSSL is good for getting off the ground, not sure how good they are for long term.


  • Grade A Premium Asshole

    @mott555 said:

    Anyone used StartSSL?

    Yep, when a low or zero cost cert is needed. Works fine. Their whole cert request process is a fucking nightmare and WTF, but I don't see why it would not serve your purpose.



  • I used StartSSL. They give you a free domain+non-wildcard subdomain cert if that's all you need.



  • I think I need a wildcard subdomain cert, unless I can request a free cert for each of my subdomains.



  • @Polygeekery said:

    Their whole cert request process is a fucking nightmare and WTF,

    How so?



  • Wildcard certs are relatively expensive - the cheapest I've used is from Comodo (~100 USD / yr)



  • That's more than I want to pay. StartSSL has a 2-year wildcard cert for $60 which I'm looking into.


  • Grade A Premium Asshole

    Their login process involves a cert installed in your browser that identifies you, so you have to make certain that you backup that cert or else you lose access to your account. It is not a username and password sort of login. It is a pain in the ass to try and login from multiple computers.



  • Wow, they need me to scan my passport and upload it? Idk about that...it's a gaming site and I want any details to be my gamertag, not my real name...


  • Grade A Premium Asshole

    @mott555 said:

    Wow, they need me to scan my passport and upload it? Idk about that...it's a gaming site and I want any details to be my gamertag, not my real name...

    I have never bought a cert from them, that is their SOP?!?



  • That's why I recommended the Comodo cert - they only do domain validation (ensure that you own the domain name), not the whole background check on you as a person. But I understand not wanting to spend the $$.



  • @monkeyArms said:

    But I understand not wanting to spend the $$.

    The whole system is a racket IMO. I really shouldn't have to spend cash to keep browsers from accusing me of being a hacker.



  • @mott555 said:

    The whole system is a racket

    Yes. Yes it is.



  • @Polygeekery said:

    I have never bought a cert from them, that is their SOP?!?

    It is for Class 2 which is the minimum package with a wildcard subdomain cert.



  • Ugh...Comodo requires me to set up email on my domain, and I can almost guarantee that's blocked by my ISP plus I don't even know how to run an email server. Why can't they use the email address I provided in the CSR?



  • @mott555 said:

    Comodo requires me to set up email on my domain

    It's been awhile since I've gone through them - I thought they would send the confirmation(s) to whatever email address you put as your domain's administrative contact....



  • Inbox.com has a very basic free email hosting package, I'm getting that set up for my domain now. I am NOT about to jump into hosting my own email server just for a CSR.



  • Globe SSL has wildcards for ~60 bucks a year.

    edit: never mind. Only if you buy 5 years at a time.

    I haven't used them yet, but I'm about to go down this rabbit hole for some of my own personal websites probably this weekend.

    My plan is to use free startSSL certs for one domain and just suck it up and do the individual free certs for the sub domains. Then I'm going to pay globe for a wildcard on a different domain and see if the comparative costs/benefits are worth it for my situation.

    I will report back when I get around to this. But, realize that by "this weekend" I mean some weekend in the future which my girlfriend is not going to monopolize with various types of non-sexual things and also that I don't have a million other personal project tasks to work on and also a weekend that I'm not derping shit in EvE online.

    So basically that means I'll do it some weeknight at 4 in the morning after too much vodka when I've already decided to call in sick for work and possibly not remember much of what I actually did. Like last night.

    I woke up with a new lenovo laptop. No idea where it came from. But I can clearly see from the results on my desk that I stuck an ssd in it and installed windows.

    I'll most likely end up with cryptic notes stuffed in various places that say things like

    startSSL = evIL

    fuck.*.com isn't valid.

    Globe wants the name of my first born child.

    Don't have one yet. Also, name the little bastard fuck.*.com and sue ICANN for not letting me register fuck.*.com.com

    https isn't really all that secure anyway so screw this.

    Write a python library for setting the girlfriend's sex drive.



  • You need to identify yourself to get a cert, that's part of the process. (Although last time I bought one, I think I just used my driver's license.)

    In theory, certs actually are tied to a specific person/organization, not just "magical numbers that make the browser safety warning go away". Although people just use it like the latter.



  • @blakeyrat said:

    In theory, certs actually are tied to a specific person/organization, not just "magical numbers that make the browser safety warning go away". Although people just use it like the latter.

    These need to be separated IMO. One level of cert for those who just want a secure connection, and a second level of cert for ecommerce or enterprise stuff where you want to prove who you are.



  • "Arriving mid-2015" so still not available, but if you can wait a bit it seems like the best choice.



  • Too late, just signed up with Comodo. Their process was pretty easy actually, just waiting for them to deal with my CSR and hopefully I'll have a nice signed cert to install on my NGINX server tonight.



  • Another failed system.

    Hackers hack to make money.

    Hacker gate, is a pay system.

    Thus making anti-hacker cert system, pro hacker.



  • @anonymous234 said:

    it seems like the best choice

    Will it have any browser support except from Firefox? I doubt it…

    I personnaly hope DANE eventually gets supported so we can get rid of CAs entirely.


  • Discourse touched me in a no-no place

    @mott555 said:

    These need to be separated IMO. One level of cert for those who just want a secure connection, and a second level of cert for ecommerce or enterprise stuff where you want to prove who you are.

    It's sort-of been done.

    Though ultimately, the whole point of a certificate is to identify who the other party is. After all, an encrypted conversation with someone who isn't the service you're looking to communicate with isn't in any meaningful way secure. That's why self-signed certificates are such a problem: anyone can make one and make any claim they want in it.

    And yes, I have run a (small, private) CA in the past. The software was annoying, the bureaucracy I had to use a nightmare.



  • @mott555 said:

    One level of cert for those who just want a secure connection, and a second level of cert for ecommerce or enterprise stuff where you want to prove who you are.

    TDEMS. If you're not who you are, then your connection is not secure. If someone can eavesdrop on your transmission, then they can probably also pull a MITM attack and present another cert - and without identity verification, you have no way of knowing about it.

    Having a certificate which doesn't serve as an identity proof is about as secure as putting a padlock emoji in your URL.


  • Discourse touched me in a no-no place

    @Maciejasjmj said:

    Having a certificate which doesn't serve as an identity proof is about as secure as putting a padlock emoji in your URL.

    QFT and because I can only like this post once.



  • Yeah, but who's going to MTM my MUD or low-usage forum? I just don't want passwords sent in plaintext.



  • @mott555 said:

    I just don't want passwords sent in plaintext.

    ROT13 them.

    Why do you not want the password to be sent in plaintext? Because someone might capture it. And if they're in the position to capture the transmission, they can probably also serve as a relay with a fake cert.

    If you're just worried about people using their bank passwords and logins for your MUD, either implement a masked password or some sort of challenge-response system.



  • Well it's all moot because I'm getting a real cert anyway.



  • Have you considered a padlock emoji in your URL?



  • The thing is, it shouldn't cost money for a basic "the server you're talking to is the one that was at this address when the CA checked" certificate. That can be automated quite easily (think Google Webmaster Tools) and only costs the CA the CPU cycles needed to sign the certificate. It ensures that you're connected to the right server and that someone can't easily read your password when you type it into an <input type="password">. Ensuring that you're connected to a website owned by a real person is a step above that and ensuring the person that owns the website isn't pretending to be another website is a step above that. Neither one is needed for something like a MUD or a forum.


  • Grade A Premium Asshole

    @ben_lubar said:

    The thing is, it shouldn't cost money for a basic "the server you're talking to is the one that was at this address when the CA checked" certificate. That can be automated quite easily (think Google Webmaster Tools)

    Now that you mention it, I am kind of surprised it is not part of GWT already...



  • @Polygeekery said:

    GWT

    Fun fact: GWT refers to no fewer than two unrelated Google products.


  • Grade A Premium Asshole

    Que? I am blanking on #2. (Make your own joke, I slow-pitched it right over the plate)




  • Discourse touched me in a no-no place

    @ben_lubar said:

    That can be automated quite easily (think Google Webmaster Tools) and only costs the CA the CPU cycles needed to sign the certificate.

    For a single host certificate, that's pretty much all the CA requires. It's a bit more complicated than that for a simple domain certificate, but not much; the remaining information that the CA needs for basic checks is in DNS, in particular in the administrative contact fields that you can look up with whois.

    Almost all of the real cost of running a CA is bureaucratic, not technical.


  • Winner of the 2016 Presidential Election

    GWT (pronounced ‘gwit’) is the official open source project for GWT releases 2.7 and onwards

    so, GWT is GWT.

    Who says OSS has a problem with documentation?

    <yes, I know there's a better explanation in the next section>



  • @mott555 said:

    Comodo requires me to set up email on my domain

    I'm sure we use Comodo with the option of email, DNS or HTTP verification.

    DNS verification involved setting a certain CNAME record to a certain value (like dkfuasfoiug.example.com CNAME oiejrtopimvls.comodoca.com.)

    HTTP verification was serving something like www.example.com/dkfuasfoiug.txt with the content oiejrtopimvls. (I remember seeing the matching codes, and the email verification link contained them both too)

    We are gearing up to add a large number of sites to our system and this will be quite automated!



  • I'm not so sure about this Comodo thing. They charged me instantly, but it's been two days and I have not received a cert yet...



  • Guess I gotta call someone. Still no cert. No messages or anything, the only sign of life is the charge on my credit card.


  • sockdevs

    dispute the charge with your credit card company. that will get their attention.

    the number of times i've needed to do this to get the attention of a company is far too high

    [insert zubat joke here]


  • Discourse touched me in a no-no place


  • sockdevs

    that's the meme i was fishing for! :-D


  • Winner of the 2016 Presidential Election

    What does that meme have to do with Zubat?



  • @Jaloopa said:

    What does that meme have to do with Zubat?

    I assumed @FrostCat was just trying to make it interesting instead of something about...umm...hang on....oh, some kind of Japanese video game thing.

    That dude is awesome.


  • sockdevs

    @Jaloopa said:

    What does that meme have to do with Zubat?

    it's a reference to pokemon games.

    zubat is annoying to fight, hard to run from and ABSOLUTELY EVERYWHERE inside caves


  • Winner of the 2016 Presidential Election

    I know that much from my red/blue days. My confusion is how that relates to the Too Damn High beardy guy


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.