
Free SSL Certificate for Open Source Projects - iancarroll
https://www.globalsign.com/ssl/ssl-open-source/?
======
middleclick
This is a good initiative. Open source security projects could really make use
of this. As a small example, the Gpg4win [1] project does not support HTTPS.
Now whether this is due to a lack of funds or motivation is unclear, but a
free SSL certificate might sound enticing and may motivate people to install
them on their servers.

[1]. [http://www.gpg4win.org/](http://www.gpg4win.org/)

~~~
atmosx
Why should this project support 'https'?

There are no user registrations taking place or sensitive informations. It's
just binaries.

~~~
slig
So no one can do a MITM attack and change the binaries as you download them.

~~~
atmosx
Hm I trust the package integrity check[1], more than the SSL[2].

[1] [http://www.gpg4win.org/package-
integrity.html](http://www.gpg4win.org/package-integrity.html)

[2] [http://www.thoughtcrime.org/blog/authenticity-is-broken-
in-s...](http://www.thoughtcrime.org/blog/authenticity-is-broken-in-ssl-but-
your-app-ha/)

~~~
mihai_ionic
So no one can do a MITM attack and change the SHA1 checksum, OpenPGP Key ID,
file lengths and code signing certificate fingerprints as you download
package-integrity.html?

~~~
EGreg
You can do a MITM attack with certificates also. In fact NSA can do it by
compromising any CA in the chain.

A distributed system that verifies identity would be much better. For example,
namecoin based identities and checksums committed to the blockchain.

In fact, any self-signed public key system with a MAC distributed to many
sources would be good enough. It doesn't have to have proof of work. The only
requirement is that there are enough root CAs that you can't compromise them
all.

This should be taken care of by browsers themselves!

I wrote this 3 years ago and since then nothing has been done:
[https://news.ycombinator.com/item?id=2024164](https://news.ycombinator.com/item?id=2024164)

~~~
orthecreedence
Agreed, CAs are an easily-exploitable smokescreen. Distribution is the way to
go here. Seems like you could post your public key in the data section of a
namecoin domain entry, no?

I think there is movement on this type of system, but it's slow because people
don't realize just how insecure HTTPS is when CAs and the US government are
involved.

~~~
EGreg
Is there any work on a project like this that you know of?

~~~
orthecreedence
I heard of a project a while back, but haven't seen it since and I forget the
name. My understanding is that it's slow going. I think the best bet is, as
mentioned, piggyback onto the blockchain somehow. Namecoin is probably the
closest to getting this right.

------
thoughtpolice
GlobalSign helped out Haskell.org and gave us a nice wildcard certificate
quickly and easily. We really appreciated it.

------
jdorfman
My company has been a globalsign partner for a little over 2 years. They are a
great company and I am really happy to see them supporting the OSI. Nice to
have partners that have the same vision when it comes to supporting the FOSS
community.

------
sargun
This is a cool initiative, but honestly, I would far prefer if open source
projects started to implement DANE.

~~~
drdaeman
DANE is a good idea, but almost useless in practice since it lacks browser
support (addons doesn't really count since nearly noone would install them)

Any ideas how we could ask Mozilla, Google, Apple and Microsoft to include
DANE (and/or, maybe, TACK and/or Convergence) support into their browsers?

------
alien3d
i build software accounting ... and the term open source.Are it freely
downloadable or close company but open source to customer ? Previously i use
ssl for testing speed the google spdy.. but performance not much different.
__sorry not git hub account for downloadable accounting software but if wanted
to real code and product and sell combine,access will be given.

------
dbg31415
But aren't these like $1.99 through NameCheap?

------
n0body
Startssl give them for free anyway

------
finnn
Free SSL certificate for pretty much anyone:
[https://startssl.com/](https://startssl.com/)

Why do people pay for SSL certificates

~~~
dm2
I do not recommend StartSSL.

Their $25 fee for revocation during the Heartbleed situation left many of
their users who could not pay their fee vulnerable to attack. During these
extenuating circumstances you would expect them to offer the revocation for a
discounted price or even free, but they did not. I did not have any
certificates registered with them and am very glad I didn't.

I imagine that there are a huge amount of StartSSL users who cannot pay the
$25 per certificate and have no choice but to leave their server vulnerable.
This was pure short-sighted greed on the part of StartSSL.

I'd strongly recommend [https://www.namecheap.com/security/ssl-
certificates/comodo.a...](https://www.namecheap.com/security/ssl-
certificates/comodo.aspx) It's a great price and their support has been
excellent in my experience. If you have an open source project then the
GlobalSign free certificate is hard to beat.

~~~
Istof
The $25 fee is a bad move but if you don't revoke your old (compromised)
certificate, new connections would still be secure if you switched
certificate, correct?

~~~
pacificmint
No they wouldn't, because the MITM attacker would simply use the old one. And
the user wouldn't know. That's why the old one needs to be revoked.

------
steven2012
Free SSL certificates are completely undermining Internet security. The whole
point of certs is that you have a certificate authority that verifies the
identity of the person you are issuing the cert to. By giving it away for free
and doing zero of the backend work, all you're doing is creating a false sense
of security and poisoning the ability to trust https.

~~~
Pyramids
As it stands, the majority of CA's do not verify any of this information,
besides a very cursory email verification.

Exceptions would obviously include higher priced (OV/EV) certificates, which
are no different cryptographically. Even the CA mentioned (GlobalSign) states
this fairly clearly on their website.[1]

[1] [https://www.globalsign.com/ssl-information-center/types-
of-s...](https://www.globalsign.com/ssl-information-center/types-of-ssl-
certificate.html)

