Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What I hate is that firefox/IE complain if you don't get one of these paid SSL certificates. The encryption of HTTP traffic should be free and without unneeded burden.


Comodo and other SSL providers will give you free certs that don't cause any warnings. But, they only last 3 months instead of 1 year.


Hey thanks! Do they cover all subdomains also though?


https and SSL are free. It's just that if the certificate is not from a recognised authority it warns you. That's a good thing in my book.


That's terrible in my book. What if you are running an entertainment site with lots of subdomains and for every single subdomain the user gets harassed with this question?

These certificates have nothing at all to do with "authority." Just think about it, what exactly do they prove?

Why should you only be allowed to speak in confidence with well identified parties (not that verisign remotely attempts to identify anyone)? Think carefully.

Related: http://www.schneier.com/blog/archives/2005/12/new_phishing_tr.html


The SSL software in your web browser uses the information from the certificate authority to mathematically PROVE a man in the middle attack is NOT happening.

Anytime you use a self-signed certificate [edit] without manually verifying the fingerprint of certificate [/edit] ANYONE who controls the network hardware between you and the second party can eavesdrop and even tamper with the communication stream. Neither you nor the second party has any way of knowing what's going on. That's why we NEED a warning every time we encounter a self-signed certificate.

The default behavior of the browsers is fine and we're lucky that the design allows us to fool around with self-signed certificates at all.

EDIT: If you manually verify the fingerprint of the self-signed certificate each time you connect you can be sure your connection is secure. But still the UI makes sense (even more sense).


"""Anytime you use a self-signed certificate ANYONE who controls the network hardware between you and the second party can eavesdrop and even tamper with the communication stream. Neither you nor the second party has any way of knowing what's going on. That's why we NEED a warning every time we encounter a self-signed certificate."""

I believe that you misunderstand the technology.


I'm by no means an expert on crypto but I think I understand the fundamentals. If something I said is incorrect please point it out specifically. See [1] for a more complete explanation of my point.

[1] http://en.wikipedia.org/wiki/MITM


Doesn't the browser warn you by default for self-signed certificates? If so your second paragraph is incorrect isn't? You would get a warning every time you encounter a self signed certificate.


The language in my post is a bit sloppy and for for that I apologize. As I imply in the second paragraph and explain in the edit you do get a warning BUT unless you then pull out your paper copy of the fingerprint and manually compare the fingerprint of the certificate with the one you have on file you do not know that your connection is secure. When is the last time anyone took that step? We need CAs to automate this process for us.


The Authority provides a way to check the address of a domain name holder and other useful information. It makes it a lot harder for someone to create a spoof domain like https://www.paypa1.com and for Paypal's real address to be displayed in the certificate when you click on it. Basically Verisign and co stake their reputation on checking the details of the certificate applicant.

I don't see what's terrible about browser makers trusting certain authorities. It's useful to the user, and there's more than one authority so less chance of abuse. The only alternative is no authorities, or a government bureaucracy issuing them. I don't see how either of those 2 options is superior to the current situation.

There's nothing stopping you creating a free Certification Authority, it's just that you'd have to persuade the browser makers to trust you.


"""I don't see what's terrible about browser makers trusting certain authorities"""

Because the authorities trust anyone who pays them 20 bucks. THEN, the users trust any site where the address bar turns yellow. Do you see the break in the chain here?


You're changing your argument, Your initial point was that encrypted HTTP should be free. It is.

Then you switched to say that you can't really trust Authorities. Maybe so, but the current setup seems better to me than the alternatives.


Read Schneier's take on it that I linked to. He agrees that this false sense of positive identification can be WORSE than none at all. And that has to do with the warnings that the browser gives, not the matching up of the domain names.

Second, my argument has always been that the browser should not harass the user of a site that has not taken part in this PHONY identification procedure.

Heck, even google adsense has seen through this scam and not bothered to pay the fee.

Edit: To clarify, most users equivocate signed SSL certificate == trustable site. That is WRONG. Verisign does not vigorously establish the non-evilness of your site.

Example: http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: