Bitcoin Forum
December 08, 2016, 12:05:24 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: SSL Certificates  (Read 2512 times)
mizerydearia
Hero Member
*****
Offline Offline

Activity: 574



View Profile
September 15, 2010, 04:26:20 PM
 #1

From here discuss SSL certificates from various authorities.  Do it! NAO!

you fail
WhenIsaSelfSignedSSLCertificateAcceptable?
SecurityCertificateWarningsDon'tWork
22MillionSSLCertificatesInUseAreInvalid
WhatWouldItTakeToHaveOpenCAAuthorities?
1481198724
Hero Member
*
Offline Offline

Posts: 1481198724

View Profile Personal Message (Offline)

Ignore
1481198724
Reply with quote  #2

1481198724
Report to moderator
1481198724
Hero Member
*
Offline Offline

Posts: 1481198724

View Profile Personal Message (Offline)

Ignore
1481198724
Reply with quote  #2

1481198724
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481198724
Hero Member
*
Offline Offline

Posts: 1481198724

View Profile Personal Message (Offline)

Ignore
1481198724
Reply with quote  #2

1481198724
Report to moderator
1481198724
Hero Member
*
Offline Offline

Posts: 1481198724

View Profile Personal Message (Offline)

Ignore
1481198724
Reply with quote  #2

1481198724
Report to moderator
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490


My avatar pic says it all


View Profile
September 15, 2010, 04:35:21 PM
 #2

I think that the whole browser CA trust thing is horribly flawed. It should follow the SSH-like model. The browser should cache all new certs silently and only alert the user if the cert has been changed.

You can get FF to do this by mucking with the preferences and a plugin called "Certificate Patrol".
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
September 15, 2010, 05:15:23 PM
 #3

I don't trust CACert's security, so I don't allow them to hijack all of my TLS connections (which adding them as a CA does). I've removed a few dozen built-in certs in Firefox because I don't trust those companies (GoDaddy is a commonly-used one that I've removed).

There's no harm in MyBitcoin using CACert, though, since I can just treat their specific cert as self-signed and allow it. StartSSL would probably be better, since it's accepted in most browsers.

Quote from: The MadHatter
You can get FF to do this by mucking with the preferences and a plugin called "Certificate Patrol".

Certificate Patrol only monitors certificates that have already been accepted by the browser. Firefox's handling of untrusted certificates is poor -- I frequently get vague errors about untrusted certs (with no information about which cert is causing the trouble), and it's impossible to autoupdate if you don't trust certain CAs.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652


Chief Scientist


View Profile WWW
September 15, 2010, 05:20:59 PM
 #4

Picking up from the original thread...

Bitcoin-related sites that have self-signed or CACert certificates (like mybitcoin.com) look unprofessional and un-trustworthy to clueless non-techies.

I know, I know, a Verisign-certified certificate isn't really any guarantee of security, but that doesn't matter-- if you want ordinary users to start trusting your website, get a certificate that doesn't popup any scary-looking security warnings.

How often do you get the chance to work on a potentially world-changing project?
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490


My avatar pic says it all


View Profile
September 15, 2010, 05:28:52 PM
 #5

One thing that I have noticed from a lot of experience in selling online is that security warnings (browser cert popups) around dealing with money should be avoided. It scares the 'average joe' away from making a purchase, or it makes the whole experience seem 'shady'. The mainstream media has done an excellent job with internet fear mongering.

I don't have any problems, personally, with mybitcoin's choice in a cacert certificate. I just whitelist the fingerprint with my FF plugins.

However, if their intentions are to run a shopping cart interface facility they should really rethink their decision. The adoption of Bitcoin is key.

The Madhatter
Hero Member
*****
Offline Offline

Activity: 490


My avatar pic says it all


View Profile
September 15, 2010, 05:33:47 PM
 #6

Looks like you posted something similar, gavinanderson. Tongue I didn't see your post until I hit "post" over here. Ah well.

Anyway, we are all preaching to the choir. We already know all of the pros and cons around CAs and self-signed certs.

I just got an email back from mybitcoin. Tom told me that getting a new cert was on the todo list. He told me that it was planned before the payment pages went live.

P.S. Pecunix has been using self-signed certs for quite a while now. I wonder if that has impacted their sales. Food for thought.
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490


My avatar pic says it all


View Profile
September 15, 2010, 05:48:57 PM
 #7

I removed all of the CA trust from my FF, installed cert patrol (and a few others), and I don't autoupdate. My updates are applied manually. Call me paranoid. Tongue

Certificate Patrol only monitors certificates that have already been accepted by the browser. Firefox's handling of untrusted certificates is poor -- I frequently get vague errors about untrusted certs (with no information about which cert is causing the trouble), and it's impossible to autoupdate if you don't trust certain CAs.
Anonymous
Guest

September 16, 2010, 01:18:23 AM
 #8

It seems unfair that there is no open source certification authority available and that the mozilla foundation is pushing people into using one particular version from a private company. That seems awfully close to what ebay does with paypal. Someone should investigate how much verisign donates to the mozilla foundation and if there is any correlation.

From Verisign
Quote
Total: 1,275AUD (excluding taxes) 

Damn that's for 1 year!

 Shocked

chaord
Full Member
***
Offline Offline

Activity: 218


View Profile
September 16, 2010, 01:55:27 AM
 #9

To be honest, I'm kind of surprised that there isn't some open source, trusted certificate authority.  Yet, when I started searching around this really does seem to be a missing piece of the puzzle.  Is it possible to build an opensource, decentralized certificate authority?  Or is that an oxymoron?
Anonymous
Guest

September 16, 2010, 03:12:44 AM
 #10

To be honest, I'm kind of surprised that there isn't some open source, trusted certificate authority.  Yet, when I started searching around this really does seem to be a missing piece of the puzzle.  Is it possible to build an opensource, decentralized certificate authority?  Or is that an oxymoron?

Bitcoin?lol

theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
September 16, 2010, 01:11:15 PM
 #11

Once DNSSEC is working, it'll be possible to securely put your cert's fingerprint in DNS. Then only people you're actually doing business with -- ICANN, the TLD registry, and your registrar -- will be able to compromise your site's encryption (at great risk to future trust from customers). Right now an attacker needs to control only one of several hundred root CAs (plus an unknown number of sub-CAs), but with DNS-based authentication, they'd be pretty much limited to the registrar (ICANN and the registry aren't likely to give in easily).

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490


My avatar pic says it all


View Profile
September 16, 2010, 06:30:34 PM
 #12

Looks like mybitcoin's cert changed this morning...
eurekafag
Full Member
***
Offline Offline

Activity: 186


View Profile
September 26, 2010, 02:55:13 PM
 #13

Everybody can get SSL certificate for 2nd level domain and 1 subdomain for free here: https://www.startssl.com/?app=12 (press Express Lane button). Works for one year at least, then it should be updated. Recognized by all browsers. But it gives only the encryption and domain matching, no personal checks are done at all. I think it's pretty enough for our purposes (protect people from eavesdropping).
eurekafag
Full Member
***
Offline Offline

Activity: 186


View Profile
September 27, 2010, 05:19:27 AM
 #14

Yes, haven't noticed that.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!