www.startssl.com better than I thought

Started by Lazybones, April 07, 2013, 09:33:35 PM

Previous topic - Next topic

Lazybones

So I have a domain, I have nginx running and I started to set things up.

The way SSL works if you have one IP you need a certificate that matches all the possible names you will use, a wildcard cert or resort to the not so greatly supported extensions / hacks out there.

So I decided I would go with ssl.mydomain.com and then load it up with folder redirects in nginx.

To my surprise when I setup the cert startssl gave me mydomain.com as a SAN in the cert so for free I now have two valid host names:

ssl.mydomain.com
Mydomain.com

This makes it much easier to setup hosts and avoid conflicts.

Mr. Analog

That's pretty kickass, how much are their services?
By Grabthar's Hammer

Tom

They have a /free/ ssl cert. If you want the fancy GREEN url bar, that costs $50 and some time verifying your identity.
<Zapata Prime> I smell Stanley... And he smells good!!!

Lazybones

FYI my surprise was that the FREE cert actually contained two names.

They are by far the cheapest CA even for the paid certs.

Mr. Analog

By Grabthar's Hammer

Lazybones

Quote from: Mr. Analog on April 08, 2013, 08:39:28 AM
Holy smokes!

FYI SSL is a big scam, it does two things... 1) encrypts traffic, 2) validates that the site is who they say they are. Most people just want 1 but due to scams browsers toss a nasty fit for self signed certs.

The difference between the FREE and PAY certs at STARTSSL are basically what appears in the Cert info dialog box and the features you can enable (more SAN names ore the special browser trust bar).

The free cert basically is validated against the fact that you can read one of the email addresses that appears in WHO is for the domain to validate you are the owner... The cert will have all ID fields blank accept that it was issued by STARTSSL basically.

If you chose a PAY cert they will validate your address and maybe call you to be sure you are who you say you are for the higher level certs.

I am not sure about thought but getting the GREEN browser bar takes a fair amount of documentation in most cases I went through renewing one with THAWTE and they pulled business records and contacted the HR department independently to verified I worked there and my roll before issuing the cert.

I have Transmission and OWNCLOUD now under SSL via NGINX. working on getting my other home services setup that way, should be the ultimate in remote access from locked down PCs since I am using a trusted CERT, HTTPS is allowed almost anywhere and the data is Encrypted.

Mr. Analog

You and I know that but to the average user that green bar implies a certain amount of trust.

I mean how often do people actually look at Registrar information on SSL certs they get?
By Grabthar's Hammer

Lazybones

Quote from: Mr. Analog on April 08, 2013, 10:04:42 AM
You and I know that but to the average user that green bar implies a certain amount of trust.

I mean how often do people actually look at Registrar information on SSL certs they get?

Yep, point being that accept for sites that take your money very few users would care about that Green bar even. So for small projects free TRUSTED certs are super handy.

Lazybones

Also start SSL is interesting in how they handle administration.

Instead of a user name and password for the site they issue you a personal CERT you install in your browser and when you connect their application requests a cert to verify who you are..

Odd that I have not seen this with the bigger CAs.

Tom

Lose that cert though and you lose access to that account. You then have to sign up again and get them to transfer your certs over to the new account.
<Zapata Prime> I smell Stanley... And he smells good!!!

Lazybones

Quote from: Tom on April 08, 2013, 03:46:40 PM
Lose that cert though and you lose access to that account. You then have to sign up again and get them to transfer your certs over to the new account.

So you make a backup, like it immediately recommends to do when you receive it.

Tom

Quote from: Lazybones on April 08, 2013, 04:41:16 PM
Quote from: Tom on April 08, 2013, 03:46:40 PM
Lose that cert though and you lose access to that account. You then have to sign up again and get them to transfer your certs over to the new account.

So you make a backup, like it immediately recommends to do when you receive it.
@%&# happens, and you know it :P
<Zapata Prime> I smell Stanley... And he smells good!!!

Lazybones

True and it is also now trivial to store small content like that offsite and encrypted.

Tom

Encrypted with what key? ;) And where do you store it? And do you store it encrypted? And if so, with what key?
<Zapata Prime> I smell Stanley... And he smells good!!!

Lazybones

I use a keypass password database encrypted with a strong password stored and replicated via Dropbox . It supports file attachments so I keep a copy of the cert and its pass phase in there.

If all my client PCs are wiped out I just download keypass again (keep a copy in Dropbox just in case) mount my database and re-install the cert.