
Microsoft adds free root certificate authority to Windows - johns
http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/
======
dfranke
These stories make me cringe. The security of SSL is as good as the
verification practices of the laziest CA. We need fewer of them, not more, and
any CA that can give certificates away for free is guaranteed to have
atrocious practices.

It appears that this company authenticates you by verifying that you can
receive email at the domain that you want the certificate for. In addition to
completely defeating the purpose of SSL by sending secrets in the clear over
SMTP, ability to receive email at a certain address is no proof of ownership
of that domain. Unfortunately, though, StartCom didn't invent this stupidity.
I already discovered a few months ago that I can get Thawte to issue me an SSL
certificate for hushmail.com.

~~~
wmf
Look at it the other way: The CAs who are charging hundreds of dollars have
atrocious practices, so StartCom is actually an improvement.

------
zokier
Could we just throw current CA's out and get some sensible, working
organization instead. Basically anyone can get certificate for any domain
nowdays, CA's care only about money. That kinda defeats the whole purpose of
having CA's in the first place. Okay, maybe applying for *.google.com
certificate could be noticed in the current system, but thats about it.

Why couldn't eg domain registrars grant certificates for the domains they have
sold? Wouldn't that kinda simplify and be a lot more secure than the current
mess.

~~~
invisible
I wasn't aware it was that easy. I thought, at the simplest, they verify the
whois information of the domain and you must be an admin contact for the
domain. What would you suggest they do beyond that or besides that?

How can I get *.ycombinator.com for example?

------
wmf
Are they pushing this patch out? The article gives the impression that
XP/Vista users would have to patch manually, which isn't going to happen.

~~~
sid0
On XP, through Windows Update. On Vista, automatically the first time you
visit a StartCom-signed site.

------
wizard_2
Does this mean we don't have to pay for ssl certs anymore? If ie, firefox, and
safari support this company's free certs - what's the problem?

~~~
there
did you read the article?

 _Granted Firefox and Safari has supported many of the certificate authorities
issuing free certificates for some time, Microsoft has not, until now._

~~~
euccastro
Did you notice the "anymore"?

