

Ask HN: Which CAs can you trust? - Tharkun

I&#x27;m in the market for a couple of SSL certificates. With all this NSA news my natural paranoia is being amplified. I&#x27;d prefer to spend my money on a CA that&#x27;s trustworthy on the one hand, and technically competent on the other.<p>Who would you recommend, and who should be avoided like the plague?
======
patio11
I don't know if what your threat model is here, but if you believe the NSA can
suborn any CA trusted by your user's browser, then the question of which CA
you use is moot. (Modulo something like certificate pinning, which helps if
your advertising company that runs an enormous popular mail service also
happens to also develop a popular browser.)

Assuming that an adversary can get one suborned CA to sign a certificate for
your domain, the adversary can use that certificate to MITM first connections
to your site without causing any sort of warning message within the browser.
They can then both sniff and alter messages going in either direction,
including e.g. stealing credentials, cookies, and what have you.

~~~
casual_slacker
It should be noted that certificate pinning is only effective if you can trust
the origin of the certificate at the time it is pinned. Imho google is only
pushing for something like this because of the Iran incident[0] where a hacker
(possibly the Iranian government) coerced a Dutch CA into providing a
compromised certificate for gmail. It won't do much for stopping the US
government who is already in a position to coerce CAs before pinning is
implemented.

0:
[http://www.computerworld.com/s/article/9219731/Hackers_spied...](http://www.computerworld.com/s/article/9219731/Hackers_spied_on_300_000_Iranians_using_fake_Google_certificate).

------
jbangert
With the current implementation of SSL, there really is no point in picking
one CA over another for security purposes (unless you don't trust a CA with
billing, etc. data). In the typical use case of a web browser, any trusted
(root) CA can sign certificates for any Common Name/domain - so any government
or private entity that can influence a commonly trusted CA can get a valid
certificate for any site - irregardless of which CA you chose to trust.

Furthermore, if done properly, your CA will never handle any of your (private)
key material, so the CA itself has no special privilege with respect to the
communications you sign with the private key, so there is also no reason to
pick one here.

The only cryptographic thing they can do right or wrong is to allow easy and
hassle free revocation of your certificate in case of a key compromise.. The
main factors I would consider in picking a CA are pricing, customer service,
acceptance and whether they are recognized as 'extended validation'.

------
bigiain
As I see it - until there's broad support for Certificate Pinning, your users
browsers are going to trust all 700-ish CA Root certs that
Chrome/Firefox/Safari/IE(/and others) ship with, so your choice of CA doesn't
stop Mallory from creating a plausible SSL cert for your domain with her
choice of compromised CAs, and have your users believe she's you no matter
which CA you carefully chose.

Having said that - if you're being diligent, make sure you generate your own
public/private keypair and only send the CSR to the CA to sign your public
key.

I noticed recently that StartSSL, although they'll happily accept a CSR, also
offer to generate your key pair and give you the private (and public) key.
While I understand their desire to make acquiring an SSL cert as easy as
possible even for non-technical people (especially since they'll give you a
cert for free, so minimising support is clearly critical to their business),
the idea of having my private key come from something other than a machine I
trust that's completely under my control seems very wrong.

------
cowchase
It sounds a bit as if you were worried your CA could hand out your key to the
NSA. That's not how SSL works. CAs only certify the validity of your public
key. Your private key never leaves your machine. If you are looking for a
vendor that supports your cause, take a look at Namecheap:
[https://www.namecheap.com/ssl-certificates](https://www.namecheap.com/ssl-
certificates)

~~~
znowi
Yes, Namecheap has been socially responsible and somewhat of a rebel. They're
one of the few big name companies that joined the _Stop Watching Us_ [1]
initiative. None of the PRISM companies have, as far as I know.

[https://stopwatching.us/](https://stopwatching.us/)

------
achalkley
You can't trust any. Centralized certificate authorities are a weakness. We
need to get distributed trust system like a Bitcoin of CA.

~~~
jlgaddis
RFC 6698:

>The DNS-Based Authentication of Named Entities (DANE)

> Transport Layer Security (TLS) Protocol: TLSA

[https://tools.ietf.org/html/rfc6698](https://tools.ietf.org/html/rfc6698)

~~~
tptacek
DANE. The proposal where the DNS becomes the new CA, so the United States
Government can be the root of all CAs.

Good plan.

------
jlgaddis
Honest Achmed's Used Cars and Certificates:
[https://bugzilla.mozilla.org/show_bug.cgi?id=647959](https://bugzilla.mozilla.org/show_bug.cgi?id=647959)

------
csense
If you're paranoid, learn the OpenSSL command line, make a self-signed CA
cert, and have your clients trust your cert and distrust all other CA's.

Of course, this only applies if you have control of your clients, and those
clients are only going to be accessing your server.

If you want the general public to be able to access your site through a
normally configured web browser, this setup is quite unworkable; but the other
commenters in this thread have some advice.

------
huhtenberg
> trustworthy

For all practical intents and purposes, they are all the same.

> technically competent

Likewise here.

------
monkey26
My approach may be silly. But 2 guys who know way more about SSL than me, Ivan
Ristic (SSLLabs, Qualys) and Moxie Marlinspike appear to use StartCom and
Gandi.

But also see cowchases message - I'd probably use NameCheap myself if after a
wild card certificate, but for the free certificates at StartCom have served
me well.

------
lmm
As others have said, browsers trust a cert from any CA. I'd suggest you also
sign your cert with PGP via monkeysphere. Then people who have and use the
firefox extension will know if any funny business happens. (Granted this will
be a tiny percentage of your users - but it's also the most paranoid ones).

------
fulafel
There is no point - the browser SSL model is as b strong add the weakest link
and the CA certs are sold on the open market.

