
2012 in Review: Encrypting the Web with HTTPS - zoowar
https://www.eff.org/deeplinks/2012/12/end-year-blog-post-2012-https-rise
======
lambada
I made the switch just recently to making my perosnal site HTTPS only. It was
surprisingly easy to do with nginx.

StartSSL gives free 1 year certificates - although each certificate is good
for only one sub-domain and the root.

I do wish wildcard, and multi-domain certificates weren't so expensive though
- it would give me so much more flexibility.

~~~
gst
SSL/TLS Server Name Indication
(<http://en.wikipedia.org/wiki/Server_Name_Indication>) is supported by all
major browsers nowadays. No need for a multi-domain certificate, just use an
individual certificate for each virtual host.

~~~
mike-cardwell
I think the problem is that startssl will only give you one certificate per
domain. Ie, they wont give you multiple free certificates for different
subdomains of the same domain.

Also, as far as I understood it SNI doesn't (and never will) exist for Windows
XP IE users, making it a non-starter for most websites for many years to come.

~~~
btgeekboy
I know for a fact they will give out separate certificates for individual
subdomains; we do it regularly.

~~~
mike-cardwell
Free ones?

~~~
btgeekboy
Yep.

Remember, "www" is a subdomain just as much as "somethingelse" is.

~~~
mike-cardwell
If that's the case, I wonder why they only let you use one domain in the certs
subjectAltName field. I have a cert from them with my domain (which we'll
pretend is example.com) in the Common Name field, and "www.example.com" in the
subjectAltName field. But I really want a second subjectAltName field in the
same certificate for a legacy hostname. This, they don't offer.

------
ctz
HTTPS is certainly a better option than no HTTPS. But we shouldn't forget that
its trust model it is fundamentally and irrecoverably broken -- it has
hundreds of single points of complete failure (to wit, DigiNotar and Comodo
who both silently and completely broke HTTPS for the entire internet, for a
time).

So, for the short term -- HTTPS is the best we have. In the medium term, the
security model of HTTPS (and by implication, SPDY) must die, and CAs along
with it. DANE or Convergence seem like good replacements. Convergence
certainly has the right trust model. DANE is perhaps more easy to migrate to,
but suffers from being built on DNSSEC's unacceptably shitty crypto
infrastructure.

~~~
gizmo686
A remember hearing a talk about a half solution to the broken model of HTTPS
that could be done with the existing system, which was either a proposol or
being implenented. The idea was that when you establish an HTTPS connection to
a new site, you save their certificate for a certain amount of time. In the
future when you log in, if the certificate they provide dissagrees with the
one you have then you assume it is compromised. Becuase of the obvious
promblem of legitimatly changing certificates there was a mechanism for the
server to inform you of that, but this requires active participation by the
server, so the entire system is only done if the server explicitly enables it.

In the long term, we need to replace HTTPS entirely.

------
lemcoe9
More people would use HTTPS if self-signed certificates weren't something that
scared users into leaving and SSL certificates were cheaper. You can get one
for around $10 a year, but that's still not free.

~~~
mike-cardwell
You can get one from startssl.com for free.

------
hayksaakian
The notion that SSL is a cost keeps it from mass adoption.

~~~
sliverstorm
Do you believe that is an incorrect notion? It most certainly _is_ a cost.
Even if certs were free, there is overhead. Not a lot of course (on modern
hardware), but it is there.

~~~
hayksaakian
I mean its something perceive as a burden rather than a benefit.

