SSL Certificates

[mizerydearia]

From here discuss SSL certificates from various authorities.  Do it! NAO!

you fail

WhenIsaSelfSignedSSLCertificateAcceptable?
	SecurityCertificateWarningsDon'tWork
		22MillionSSLCertificatesInUseAreInvalid
				WhatWouldItTakeToHaveOpenCAAuthorities?

[The Madhatter]

I think that the whole browser CA trust thing is horribly flawed. It should follow the SSH-like model. The browser should cache all new certs silently and only alert the user if the cert has been changed.

You can get FF to do this by mucking with the preferences and a plugin called "Certificate Patrol".

[theymos]

I don't trust CACert's security, so I don't allow them to hijack all of my TLS connections (which adding them as a CA does). I've removed a few dozen built-in certs in Firefox because I don't trust those companies (GoDaddy is a commonly-used one that I've removed).

There's no harm in MyBitcoin using CACert, though, since I can just treat their specific cert as self-signed and allow it. StartSSL would probably be better, since it's accepted in most browsers.

You can get FF to do this by mucking with the preferences and a plugin called "Certificate Patrol".

Certificate Patrol only monitors certificates that have already been accepted by the browser. Firefox's handling of untrusted certificates is poor -- I frequently get vague errors about untrusted certs (with no information about which cert is causing the trouble), and it's impossible to autoupdate if you don't trust certain CAs.

[Gavin Andresen]

Picking up from the original thread...

Bitcoin-related sites that have self-signed or CACert certificates (like mybitcoin.com) look unprofessional and un-trustworthy to clueless non-techies.

I know, I know, a Verisign-certified certificate isn't really any guarantee of security, but that doesn't matter-- if you want ordinary users to start trusting your website, get a certificate that doesn't popup any scary-looking security warnings.

[The Madhatter]

One thing that I have noticed from a lot of experience in selling online is that security warnings (browser cert popups) around dealing with money should be avoided. It scares the 'average joe' away from making a purchase, or it makes the whole experience seem 'shady'. The mainstream media has done an excellent job with internet fear mongering.

I don't have any problems, personally, with mybitcoin's choice in a cacert certificate. I just whitelist the fingerprint with my FF plugins.

However, if their intentions are to run a shopping cart interface facility they should really rethink their decision. The adoption of Bitcoin is key.

[The Madhatter]

Looks like you posted something similar, gavinanderson. I didn't see your post until I hit "post" over here. Ah well.

Anyway, we are all preaching to the choir. We already know all of the pros and cons around CAs and self-signed certs.

I just got an email back from mybitcoin. Tom told me that getting a new cert was on the todo list. He told me that it was planned before the payment pages went live.

P.S. Pecunix has been using self-signed certs for quite a while now. I wonder if that has impacted their sales. Food for thought.

[The Madhatter]

I removed all of the CA trust from my FF, installed cert patrol (and a few others), and I don't autoupdate. My updates are applied manually. Call me paranoid.

Certificate Patrol only monitors certificates that have already been accepted by the browser. Firefox's handling of untrusted certificates is poor -- I frequently get vague errors about untrusted certs (with no information about which cert is causing the trouble), and it's impossible to autoupdate if you don't trust certain CAs.

[Anonymous]

It seems unfair that there is no open source certification authority available and that the mozilla foundation is pushing people into using one particular version from a private company. That seems awfully close to what ebay does with paypal. Someone should investigate how much verisign donates to the mozilla foundation and if there is any correlation.

From Verisign

Total: 1,275AUD (excluding taxes) 

Damn that's for 1 year!

 

[chaord]

To be honest, I'm kind of surprised that there isn't some open source, trusted certificate authority.  Yet, when I started searching around this really does seem to be a missing piece of the puzzle.  Is it possible to build an opensource, decentralized certificate authority?  Or is that an oxymoron?

[Anonymous]

To be honest, I'm kind of surprised that there isn't some open source, trusted certificate authority.  Yet, when I started searching around this really does seem to be a missing piece of the puzzle.  Is it possible to build an opensource, decentralized certificate authority?  Or is that an oxymoron?

Bitcoin?lol

[theymos]

Once DNSSEC is working, it'll be possible to securely put your cert's fingerprint in DNS. Then only people you're actually doing business with -- ICANN, the TLD registry, and your registrar -- will be able to compromise your site's encryption (at great risk to future trust from customers). Right now an attacker needs to control only one of several hundred root CAs (plus an unknown number of sub-CAs), but with DNS-based authentication, they'd be pretty much limited to the registrar (ICANN and the registry aren't likely to give in easily).

[The Madhatter]

Looks like mybitcoin's cert changed this morning...

[eurekafag]

Everybody can get SSL certificate for 2nd level domain and 1 subdomain for free here: https://www.startssl.com/?app=12 (press Express Lane button). Works for one year at least, then it should be updated. Recognized by all browsers. But it gives only the encryption and domain matching, no personal checks are done at all. I think it's pretty enough for our purposes (protect people from eavesdropping).

[eurekafag]

Yes, haven't noticed that.