

How to obtain and install an SSL/TSL certificate, for free - abraham
http://arstechnica.com/security/news/2009/12/how-to-get-set-with-a-secure-sertificate-for-free.ars

======
dpcan
How long until Google becomes an authority and just starts handing out SSL
certificates for free?

Doesn't this sound like something they would already be doing?

~~~
windsurfer
Would Microsoft accept a Google-signed certificate? Would Microsoft pre-
install such certificates by default?

~~~
dangrossman
Is there some reason Microsoft would not want to accept a Google signed
certificate?

~~~
tptacek
Is there some reason Microsoft _would_ want to accept a Google root
certificate?

~~~
ars
Regulatory or consumer pressure. The desire to not have the appearance of
anti-competitive actions.

~~~
tptacek
... are fuzzy arguments that will be torpedoed by any weal security argument
Microsoft deploys against them.

Turn this over on its head. What about Mozilla accepting a Microsoft-run CA?

~~~
blasdel
I really hope they would -- it'd be extremely nice for vanilla Windows Server
installs to be able to provision themselves a default certificate.

Of course, Mozilla are the asshats that _innovated_ the draconian dialog maze
for self-signed certificates, and as such have made it impossible to ship
appliances with HTTPS web interfaces. I hope their heads fall off.

Don't you _really_ want WiFi access point config pages to be HTTPS-only?

~~~
windsurfer
I think it's great that Mozilla made it difficult to use self-signed certs.
Most people don't use them correctly, and making self-signed essentially off
limits to people is a great increase in security.

You should try using ettercap. It's surprisingly easy to intercept all traffic
going to and from a self-signed site.

~~~
ars
It's easy to use ettercap to mount a man-in-the-middle attack?

Self-signed certs are only vulnerable to mitm attacks, but don't most network
topologies make doing that pretty hard?

~~~
tptacek
No. Anyone who can see a DNS query can hijack traffic.

------
plaes
In case you are looking for alternative free certificate authority then there
is also <http://CAcert.org>

PS. I'm a happy CAcert certificate user ;)

~~~
tptacek
Does any mainstream browser include the CACert root? Without it, you might as
well just use no certificate; self-signed certs add no additional security to
TLS in the HTTPS case.

~~~
Sidnicious
At the moment, no, but CACert is working on it. Certificates issued by CACert
are still more valuable than self-signed because the owner's identity has been
verified and, if the user installs the CACert root once, they can all be
checked against it.

~~~
tptacek
Without the root cert installed, they add zero additional security, because
the browser can't verify them. They might as well be self-signed.

CACert has been working on this for a long time, and the outlook does not seem
positive. If they can't even get past Mozilla's audit requirements, how well
do you think they'll fare with Microsoft?

~~~
Sidnicious
I checked in with someone from CACert at 26C3. As far as he knows, the audit
is moving forward and they expect to make it into both.

------
robotrout
Off topic:

Is there any problem with buying a certificate and using the same certificate
for your postfix TLS email authentication that you use for your web server
authentication?

I would like to have authenticated email, to minimize the chance of my emails
bouncing, and I was hoping to only purchase one certificate. I can't find
anybody talking about mail server TLS email authentication on the
certification websites. They only talk about web authentication and a bit
about email client authentication.

~~~
Andys
Yep, you can use the same certificate for email (IMAP, POP, TLS). Only works
without warnings if your clients connect to the same hostname as the
certificate is for (so I usually register something other than www.domain.com
for the SSL site)

