Bitcoin Forum
September 20, 2017, 01:27:36 PM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Free SSL certificates  (Read 4489 times)
Vasiliev
Jr. Member
*
Offline Offline

Activity: 55


View Profile
February 22, 2011, 04:02:18 PM
 #1

Those of you running sites with self-signed certs should look into https://www.startssl.com/. Free SSL certificates valid for 1 year, renewable every year without charge.

They aren't accepted by mobile devices, but Windows, Mac OS X, and Firefox and Opera accept them, so it's far better than throwing an ugly security warning from a self-signed cert.
(IE, Safari, and Chrome use the OS' certificates)

See also https://secure.wikimedia.org/wikipedia/en/wiki/StartCom

1DiaPwjDV6rLB2KrBA7gzitzSWCJmXnESy
1505914056
Hero Member
*
Offline Offline

Posts: 1505914056

View Profile Personal Message (Offline)

Ignore
1505914056
Reply with quote  #2

1505914056
Report to moderator
1505914056
Hero Member
*
Offline Offline

Posts: 1505914056

View Profile Personal Message (Offline)

Ignore
1505914056
Reply with quote  #2

1505914056
Report to moderator
"The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Nefario
Hero Member
*****
Offline Offline

Activity: 602


GLBSE Support support@glbse.com


View Profile WWW
February 22, 2011, 04:56:01 PM
 #2

It also allows the signing company to give certificate details to a government agency so that they can snoop on encrypted communications.

As far as I know with a self signed cert it should be impossible for a government to snoop.Or at least much more difficult.

PGP key id at pgp.mit.edu 0xA68F4B7C

To get help and support for GLBSE please email support@glbse.com
Vasiliev
Jr. Member
*
Offline Offline

Activity: 55


View Profile
February 22, 2011, 05:09:22 PM
 #3

It also allows the signing company to give certificate details to a government agency so that they can snoop on encrypted communications.

As far as I know with a self signed cert it should be impossible for a government to snoop.Or at least much more difficult.
If a government is prepared to seize a certificate from the signing company, why wouldn't they just demand root access from the server's host?

1DiaPwjDV6rLB2KrBA7gzitzSWCJmXnESy
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 22, 2011, 05:32:55 PM
 #4

It also allows the signing company to give certificate details to a government agency so that they can snoop on encrypted communications.

As far as I know with a self signed cert it should be impossible for a government to snoop.Or at least much more difficult.

That is not how SSL works.

When you request an SSL certificate, YOU generate the keypair on your own computer (web server).  They only sign the public key, they never get the private key.  All major web server software works this way.  So, it is impossible for them to divulge anything to the government.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1358


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 22, 2011, 05:44:11 PM
 #5

As far as I know with a self signed cert it should be impossible for a government to snoop.Or at least much more difficult.
If a government is prepared to seize a certificate from the signing company, why wouldn't they just demand root access from the server's host?
[/quote]

According to the talk given at DefCon 18 titled "An Observatory for the SSLiverse" given by an EFF staffer:

When the government really wants to intercept SSL, what they do is they get a certificate provider to issue them a certificate in the domain's name, and then they just perform a man-in-the-middle attack, decrypting the traffic and re-encrypting it on its way to the destination.  (Note, they can't decrypt the traffic mid-stream - BUT with a forged cert they could put up a fake server, get you to connect to it, and that's what I'm referring to here)

The EFF says, there are enough SSL CA providers out there that the government doesn't need to wring yours - they only need one to sell out and issue a cert.

Regardless, a self-signed certificate doesn't protect against this, except perhaps unless users remove all the built-in trusted certificates from their web browser, and then install the self-signed cert as the only trusted root (pretty unlikely anybody is going to do this, since they'll get SSL errors all over the entire internet).


Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
February 22, 2011, 07:11:20 PM
 #6

When the government really wants to intercept SSL, what they do is they get a certificate provider to issue them a certificate in the domain's name, and then they just perform a man-in-the-middle attack, decrypting the traffic and re-encrypting it on its way to the destination.  (Note, they can't decrypt the traffic mid-stream - BUT with a forged cert they could put up a fake server, get you to connect to it, and that's what I'm referring to here)

The EFF says, there are enough SSL CA providers out there that the government doesn't need to wring yours - they only need one to sell out and issue a cert.

Damn... is there evidence that this has ever happened before?

By the way, I thought browsers would display a warning if suddenly the certificate for the site I'm used to visit changed...

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
February 22, 2011, 07:19:12 PM
 #7

By the way, I thought browsers would display a warning if suddenly the certificate for the site I'm used to visit changed...

Unfortunately they do not. I use the Certificate Patrol Firefox addon to tell me when a site's certificate changes.

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2786


View Profile
February 22, 2011, 07:26:10 PM
 #8

I also use Certificate Patrol, and I removed many CAs from my certificate store. (Firefox does some buggy things after you remove CAs, though.) I wish the whole system would be replaced. The best idea I've heard is to store the cert in DNS; once DNSSEC is enabled, this will be pretty secure.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
February 22, 2011, 07:45:49 PM
 #9

Thank you for pointing me to this extension. I really thought that was a default behavior of all SSL clients.

So, sites have no requirement in signing their new certificates with their old ones then... if a site changes a certificate about to expire, the extension will have no way to determine whether it's an authentic change or not, right?

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
error
Hero Member
*****
Offline Offline

Activity: 574



View Profile
February 22, 2011, 07:50:56 PM
 #10

So, sites have no requirement in signing their new certificates with their old ones then... if a site changes a certificate about to expire, the extension will have no way to determine whether it's an authentic change or not, right?

No, there's no way to be 100% sure that the change is authentic. The addon does tell you that the old certificate was about to expire, which is the most common case for replacing a certificate.

The Certificate Patrol web site is full of more good info, including a link to an appliance which automates MITM attacks for "law enforcement".

15UFyv6kfWgq83Pp3yhXPr8rknv9m6581W
satamusic
Member
**
Offline Offline

Activity: 78


yes.


View Profile
February 24, 2011, 01:26:52 PM
 #11

thanks for the tip vladimir.

sent my whole bitcoin balance over to you right now Cheesy

hi
khal
Hero Member
*****
Offline Offline

Activity: 538


NamecoinID: id/khal


View Profile WWW
April 23, 2011, 12:02:34 PM
 #12

Or register on CaCert : https://www.cacert.org/

NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9 | NamecoinID: id/khal | Register .bit domain
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T | My bitcoin Identity: send messages to bitcoin users
Free bitcoins: Surf4Bitcoin.com | Charity Ad: Make a good deed without paying a cent
BioMike
Legendary
*
Offline Offline

Activity: 1395


View Profile
April 23, 2011, 12:07:36 PM
 #13

I'm a happy user of the perspectives system, works like a charm, although I think there should be many more notaries.
LMGTFY
Hero Member
*****
Offline Offline

Activity: 644



View Profile
April 23, 2011, 12:23:48 PM
 #14

Or register on CaCert : https://www.cacert.org/
I get an SSL error with cacert: both their own site and bitcoin-contact.org. This is on Chrome[ium] and Ubuntu. I realise there are ways round this, but as I understand it Vladimir's process avoids this entirely.

This space intentionally left blank.
khal
Hero Member
*****
Offline Offline

Activity: 538


NamecoinID: id/khal


View Profile WWW
April 23, 2011, 04:19:42 PM
 #15

Indeed, CaCert certificate is not added everywhere (but they should be in your ubuntu (/etc/ssl/certs/cacert.org.pem), so Chromium use their own embed certificates).

NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9 | NamecoinID: id/khal | Register .bit domain
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T | My bitcoin Identity: send messages to bitcoin users
Free bitcoins: Surf4Bitcoin.com | Charity Ad: Make a good deed without paying a cent
LMGTFY
Hero Member
*****
Offline Offline

Activity: 644



View Profile
April 23, 2011, 04:27:15 PM
 #16

Indeed, CaCert certificate is not added everywhere (but they should be in your ubuntu (/etc/ssl/certs/cacert.org.pem), so Chromium use their own embed certificates).
Yeah, I'd checked /etc/ssl/certs and seen cacerts so I assumed it was "just" a Chromium issue. However... I've just tried in Firefox and that's exhibiting the same behaviour.

I stress that this isn't a problem for me - I understand what's going on, and if I was so inclined I could fix it. Rather, it's a problem for non-technical users. For that reason I'd prefer Vladimir's approach to the cacert approach - at least for now, until browsers/distros catch up.

This space intentionally left blank.
khal
Hero Member
*****
Offline Offline

Activity: 538


NamecoinID: id/khal


View Profile WWW
April 28, 2011, 02:50:14 PM
 #17

Not really usefull for you, but for other people, go to this web page and click on "Root Certificate (PEM Format)". Firefox will propose you to add the certificate, check "allow for web site" (or somethin like that). That's all Smiley
=> http://www.cacert.org/index.php?id=3


ps : it works without this on Debian and iceweasel (custom debian firefox).

NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9 | NamecoinID: id/khal | Register .bit domain
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T | My bitcoin Identity: send messages to bitcoin users
Free bitcoins: Surf4Bitcoin.com | Charity Ad: Make a good deed without paying a cent
dmp1ce
Member
**
Offline Offline

Activity: 69


View Profile WWW
April 28, 2011, 06:57:13 PM
 #18

I can see why many would suggest getting a root CA to issue your websites certification because to the average user it looks much more legitimate and secure.  However, there are major problems with the CA system and that is why I think people create their own certificates.  I am still learning about these issues but I found this podcast to be very helpful: http://agoristradio.com/?p=255

That being said, does anyone know if there is a Bitcoin CA Certificate floating around out there?  Or is there a signed gpg certificate that I could use with monkeysphere?

BTCmon - Support great bitcoin apps
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!