
Sslip.io: A Valid SSL Certificate for Every IP Address - arianvanp
http://blog.pivotal.io/labs/labs/sslip-io-a-valid-ssl-certificate-for-every-ip-address
======
jgrahamc
So, these guys bought a COMODO wildcard certificate and then stuck it (public
and PRIVATE parts) on Github for anyone to download.

Wonder how long before COMODO revokes this cert?

If you have a test domain you can stick it on CloudFlare and get a certificate
for free without the private part becoming public.

~~~
StavrosK
Yes, but the CloudFlare/server leg is unencrypted.

~~~
jgrahamc
We give customers a certificate signed against our CA to secure the CloudFlare
to origin server connection.

~~~
IgorPartola
You do? Last I checked, I just saw that you had the option to put a self-
signed cert on your own server, but no way to tell CloudFlare to validate it
(e.g.: I couldn't upload my public cert to CF and say "this is what you should
expect"). Alternatively, I could buy my own valid cert and put it on the
server. Is the option to get a valid signed cert from CF new?

~~~
jgrahamc
[https://blog.cloudflare.com/universal-ssl-encryption-all-
the...](https://blog.cloudflare.com/universal-ssl-encryption-all-the-way-to-
the-origin-for-free/)

~~~
uxWxIUws
Did this actually come out?

I've never seen the option in the panel for this, and as far as I know only a
handful of users got accepted into the 'beta'.

------
dsr_
> RAM is not stressed: of the 1015MiB of RAM, 182MiB are free, and only 6MiB
> of swap is used. We typically don't worry about RAM on Linux systems until
> the swap space used exceeds twice the physical RAM

That's a bad metric. The question is rarely "does this machine use too much
swap". The problem comes when performance is degraded because pages that were
evicted out to disk are now needed again, and those processes wait for I/O.
swapin and swapout are the relevant figures.

edit: (If you're only using 6M of swap, it doesn't really matter, of course.
But if a system uses any substantial amount of swap, you want to check rate,
not quantity.)

~~~
seiji
Yes, that is quite a strange recommendation and the recommendation of "until
the swap space used exceeds twice the physical RAM" is really crazy. The best
recommendation for production servers is to disable your swap/page file
completely then just let your entire system crash on OOM.

Often times it's better to have a dead system (you do have HA and auto-
failover, right?) than to let difficult-to-track-down "slowness" into real
time systems.

~~~
Dylan16807
If your failover doesn't take extreme slowdowns into account, you've still
screwed up.

It's more complicated than just turning off swap. Even without swap, when you
run extremely low on memory the page cache will be squeezed to nothing and
you'll thrash. And I don't think there's a way to set a minimum page cache on
Linux.

So in other words, I would not rely on the OOM killer ever kicking in.

In a situation with more memory use over time a small swap can act as a
canary, letting you know you're nearing a performance drop, while a swapless
server could suddenly hit a molasses wall without dying.

~~~
aidenn0
Thrashing the page cache is typically _much_ less horrible than swap
thrashing, so swap off is still an improvement.

If you want a canary, why not just directly monitor the page cache size?

~~~
Dylan16807
I suppose it depends how big your binaries are, but once those are getting
culled from memory things are not pretty.

Keep in mind that if your swap is not huge, it will very often fill will cold
data and you won't have swap thrashing despite running out of memory.

Good point about measuring the page cache directly.

~~~
aidenn0
Ah yes. We can agree that both small swap and no swap are superior to the "2x
RAM" nonsense that still pops up as a recommendation though.

------
ck2
While I despise the SSL cartel, there are many problems with this attempt at a
solution.

Let's Encrypt began testing their free SSL certificates this week and will
formally launch November 16th (two months from now)

[https://letsencrypt.org/2015/08/07/updated-lets-encrypt-
laun...](https://letsencrypt.org/2015/08/07/updated-lets-encrypt-launch-
schedule.html)

However they have no plans for wildcards and you have to renew every 90 days
(automation possible).

They also do not have their intermediate certificate working yet (but will
have to by November).

But if you do not need wildcards, the StartSSL free certificate has been an
option for a long time:

[http://www.startssl.com/?app=33](http://www.startssl.com/?app=33)

(startssl works in all browsers and has a 1 year renewal)

~~~
nly
WoSign issue free certs with up to 100 altnames, which is almost as good as a
wildcard cert for many purposes, valid for up to 3 years. They also revoke for
free.

They're the best option at the moment if, like me, you don't want want to put
a penny in to the CA industry.

~~~
IgorPartola
I was not aware of this option. However, it seems to be operating out of
China. How does that affect security and availability in the long run?

~~~
ivanr
It doesn't affect security, they're already in browsers' trust stores. It does
affect availability, but only because (the last time I checked) WoSign's OCSP
responders operated from China only. To address network latency issues with
your users located far away, make sure you have OCSP stapling configured on
your servers.

------
omh
From what I can see this uses the same public/private key for everyone using
the service. So it would be easy to MITM any HTTPS connection using this if
you're a network admin or hostile WiFi etc.

I don't think this is a problem for the intended audience - developers and
test sites.

But there should perhaps be a clear warning somewhere about not using this in
production.

EDIT: Turns out this is actually mentioned on the FAQ page of
[https://sslip.io/](https://sslip.io/)

~~~
JosephRedfern
I'm not suggesting that this makes it acceptable to use in production - but am
I right in thinking that you'd be unable to MITM the connection if the
server/client both support perfect forward secrecy?

~~~
brohee
Someone that intercepts the traffic act as a proxy and will just PFS with the
client and the server.

Confidentiality should be ensured by PFS if the attacker is only sniffing. But
so many scenarios where even an unsophisticaded attacker can do more that is
is not worth thinking about.

~~~
JosephRedfern
That makes perfect sense - thanks.

------
krikulis
It should have NOT SECURE written in big red letters - everyone has your
private key, so there is no security at all.

~~~
EngineerBetter
It's very clearly stated on the project's website:

"sslip.io's primary purpose is to assist developers who need to test against
valid SSL certs, not to safeguard content."

"Although there's no technical reason why you couldn't use the sslip.io SSL
key and certificate for your commerce web, we strongly recommend against it:
the key is publicly available; your traffic isn't secure."

~~~
regecks
I wonder what that scenario even is, where you need a trusted certificate and
are also (for some reason?) unable to use the mechanisms widely available in
environments (either OS or language/API) to trust a testing certificate.

This seems like a very silly service to operate, and as remarked by others, I
guess the certificate will be revoked soon because the private key data is out
there.

Mostly surprised that this wasn't obvious to a company like Pivotal from the
first moment.

------
EngineerBetter
Because people seem to be missing it, here's a quote from the project website:

"sslip.io's primary purpose is to assist developers who need to test against
valid SSL certs, not to safeguard content."

~~~
viraptor
I don't think they're missing it. It's a bad idea and you can have your own
valid certificate for free from many companies. Or for test, you can create
your own cert in 2 lines of bash. (and add the ca to trusted store, so it's
just as valid as this one)

For testing purposes you can also generate your certs valid only for a few
hours/days, so you can be sure they never get used in production by accident.
And with proper SAN entries.

~~~
radiac
Exactly - there's no need for a service like this when you can have self-
signed certificates. Create a CA cert to distribute across your team, then use
it to sign host, wildcard and SAN certs as needed. If you need to share your
site with people who don't have your CA cert, it's time to get a real one.

In case it helps anyone, I wrote an openssl wrapper with a simple syntax to
manage self-signed CAs:
[https://github.com/radiac/caman](https://github.com/radiac/caman)

------
joshstrange
I've tried to find this info multiple times but what cert will work for:

domain.com

sub1.domain.com

sub2.sub1.domain.com

I'd love to buy one cert for my main domain and then be able to secure
"infinite" depth of subs but every place I've contacted said that doesn't work
yet they seem to have done just that...

~~~
timdorr
There's a section in the article about how they use dashes instead of dots to
separate octals in the IP. That way the wildcard cert covers those subdomains
because they are only one level deep.

~~~
joshstrange
Ahh, I'm an idiot. Thank you for pointing that out to me. xip.io uses dots and
so my brain just assumed dots on this one was well. I still would be very
interested in finding a provider that did this or gave a reasonable number of
domains on the cert. Though wildcard on subs is what I really want without
having to buy one for each sub so I can do:

 _.server1.joshstrange.com

_.server2.joshstrange.com

etc...

~~~
stouset
Providers _can 't_ do this, because browsers implement an RFC that doesn't
allow multi-level wildcards.

~~~
joshstrange
Yeah, I've read this previously. It seems odd to me, I feel like I _should_ be
able to do this, I own the domain and I want to secure everything underneath
it... _sigh_ I guess I'll have to settle for a cert that allows for lots of
domains under it and just have to create a different cert for each domain.

------
PC-Hawk
That didnt take long...

Secure Connection Failed An error occurred during a connection to
52-0-56-137.sslip.io.

Peer's Certificate has been revoked.

------
SirFatty
How about an IP address for every person?

~~~
comboy
you mean IPv6?

~~~
eudoxus
More like 1 IP for every atom in the universe.

~~~
jakeogh
I got curious... looks like we need IPv8 for that... estimates put it around
10^78, so 2^256 wont even do.

------
vog
Nice hack, but:

What's preventing them from resolving _YOUR-IP.sslip.io_ to a completely
different IP address that delivers some malware to you?

EDIT: Changed "your users" to "you"

~~~
pki
because you shouldn't have users on this

~~~
vog
(See EDIT) Okay, so what's preventing them from develivering strange stuff to
you, that claims to be your test site, but isn't?

------
jason_madigan
Cert has been revoked

------
swills
Further evidence that the SSL/TLS model of combining transport security and
trust is broken.

------
devy
sslip.io wildcard SSL certificate has been revoked!

[http://i.imgur.com/IyYEJNm.png](http://i.imgur.com/IyYEJNm.png)

------
minizatic
Just a heads up, @BrianCunnie, you are dead. I'm not sure why. I don't see
anything in the comment history to justify shadowbanning, maybe someone with
more insight into how and why people are banned can elaborate. Sorry this is
top-level, you can't directly reply to dead comments.

~~~
brian_cunnie
Thanks mini. I'm not sure why they banned me (I used a link in my first
post?), but they let me create another account, and am now using that one.

~~~
dang
Not banned; your new accounts set off a spam filter. Sorry. We marked them
both legit and restored all the comments. Should be fixed now.

------
hoers
How about convincing the big browser vendors (e.g. through their bugtrackers)
to finally accept CACerts without warning? Such a shame that.

------
BrianCunnie
As you can probably tell, Comodo revoked our certificate this morning.

For those interested in rolling your own, we recommend getting your own
wildcard certificate and deploying your nameservers:
[https://github.com/cloudfoundry-community/xip-
release#deploy...](https://github.com/cloudfoundry-community/xip-
release#deploying-a-custom-version-of-xip-to-amazon-aws)

In the interim, we plan to see if there's a way we can accomplish what we want
without violating the terms of agreement.

Thanks for the interest,

