
Unqualified Names in the SSL Observatory - there
https://www.eff.org/deeplinks/2011/04/unqualified-names-ssl-observatory
======
invisible
I'd wager WebTrust doesn't really care or else this wouldn't go unfixed for so
long. While I appreciate this problem, I really wish we had something usable
between CA-signed HTTPS and regular HTTP. We can't even have encryption on the
web without paying somebody.

~~~
caf
I'm beginning to feel like a broken record saying this, but it's possible to
get a browser-recognised certificate for free, for example from
<http://www.startssl.com/> (yes, their web site design is straight out of
2001, but it works).

~~~
invisible
I've tried startSSL before and this is my view on that: Yeah great, unless you
want to support older certificate stores that haven't been updated (any before
2006). Maybe in another 3-5 years it'll be great though.

<http://news.ycombinator.com/item?id=1880688>

------
Groxx
Wouldn't signing `localhost` be useful in testing browsers and testing
locally-running versions of websites which have signed SSL certificates? The
alternative being intercepting and faking the responses from the CAs when your
browser attempts to verify your localhost:8080 website? Or is there another
viable, non-"master SSL off-switch" option here?

~~~
nbpoole
From the blog post:

" _Organizations relying on certificates for unqualified names should use
their own private CA for their private namespace. For example, all those
Exchange shops can use Microsoft's CA software._ "

------
rbanffy
And when I make jokes with Exchange operators I am modded down... sigh...
Telling, I say.

