

Ask HN: Silo - SSL certificate safeguard web app - do I go ahead and build? - ollierattue

Hey everyone,<p>I am deciding whether to go ahead and build Silo (http://getsilo.com), a little web app which safeguards SSL certificates. The idea came about after I ran into the following annoying, yet easily avoidable problems:<p>1. Real - I make some changes to a client's web server and restart apache. Apache demanded a pass phrase for a SSL certificate on one of the domains. I don't know it. Without it apache won't start, meaning all websites are offline. The regular sysadmin is away. I email / phone anyone who might know this key but as expected no one knows. A panic vhost disable of the SSL domain, and all websites are back up except the secure one which is down.  More panic server changes to setup a self signed SSL certificate. Then I go through the process of buying a new SSL certificate. Time lost, money spent, website glitches, and unhappy visitors complaining when their browsers say the website is not secure. All because of an unknown pass phrase.<p>2. Real - A visitor emails expressing their concern that their browser is telling them that our e-commerce website is insecure. I take a look and see that the SSL certificate has expired. I buy a new one and go through the process of verifying domain ownership. E-commerce website looses customers, and therefore sales, for 2 days till the new certificate is active.<p>3. Hypothetical (hasn't happened to me) - The web server dies and there are no backups of the SSL certificate, private, public keys, chain and vhost config. I now need to go back to the various companies that sold the certificates, login to their management areas, download the certificates and go through the process of getting the SSL certificates setup correctly using their various setup guides and documentation (often a somewhat trial and error process).<p>Silo would store your SSL certificates, keys, chain files, pass phrases, and send out SSL renewal reminders to solve these three problems. From my own experience I know this product would of saved me time, money, and stress. I am interested to hear if anyone has had similar problems, whether people 'get' the idea of Silo, and finally would be willing to pay for this simple product (pricing at http://getsilo.com/plans).<p>Many thanks for your time,
Ollie Rattue
======
hopeless
It sounds like an interesting idea with some real problems to solve. I'm not a
professional sysadmin so wonder what the current solution is? That would be a
great source of information which many people on here could provide.

My #1 concern is trust. Would a webdesign agency really trust all their SSL
certs to Silo for $50/yr? Centralising that number of SSL certs at an random
online service seems a little insecure. I'd probably prefer a truecrypt-
encrypted USB key, or an encrypted volume of dropbox/whatever or something
like that.

I wonder if there's a business here in just the SSL expiry notifications? It
seems a common problem which is theoretically solved by Google Calendar but
obviously no one actually thinks of a general tool for the specific purposes
of reminding them about expiry dates.

~~~
ollierattue
Hey hopeless, thanks for your thoughtful comment.

There isn't any solution to the pass phrase apache issue. If you forgot / lose
it you need to:

a. Remember / find it

b. Buy a new certificate.

You can create private keys without pass phrases, but this is less secure.

It's interesting to hear that you think SSL certificate expiry is a common
problem. As you say notification could be setup in Google Calendar, but we
just tend to overlook things like this. However I wonder whether a for sale
web app could be justified on this single simple feature...

As for trust, it is a real issue. Trust and security are two different things.
The security could be fine, but if there is a belief (rightly or wrongly) that
it isn't safe then there will be a problem selling a product or service.

From my understanding the certificate is sent from the server to the visitor's
browser when they connect, so I don't see storing them in an online service as
a security risk. However I need to research the security implications of
storing the private key and pass phrase. Any advice or info here would be
greatly appreciated.

