Hacker News new | past | comments | ask | show | jobs | submit login
Add HTTPS to NGINX for free and help make the world more secure (levels.io)
5 points by pieterhg on June 13, 2013 | hide | past | web | favorite | 7 comments

Why not sign your own certificate[1]? Is there any reason to trust StartSSL? How do we trust any SSL company? They may well be giving private keys to the NSA, especially if the certificate is free.

[1] To clarify I mean for personal use like securing your own servers for your own use.

I use my own certificates internally, of course. I just want to prevent eavesdropping, so it's good enough, and I'm sure the NSA doesn't have my keys.

The problem is, of course, browsers won't have you as a trusted root, therefore displaying a warning to the users. That's not acceptable for a public facing site. We have to trust someone here to give us a certificate.

Because then we start training users to just ignore those warnings about self signed certs and effectively destroy SSL because man in the middle attacks are made easy.

and I just saw your clarification. Who doesn't use self signed for that?

For that matter, you can do that within and organization and just push out your CA cert company wide. Save some money.

The free SSL certs are maximum 256bit keys. As pointed out in Cloudflare's blog post yesterday, a 2009-era PC could crack a 512bit SSL cert key in 73 days. Todays machines would make mincemeat of such weak certs.

I'm confused. I thought StartSSL only supported 256 bit certs, and their website does mentioned that, but the linked article mentions generating a 2048 bit key which gets signed by StartSSL.

I did this yesterday for my Raspberry Pi. Sad to say, that Firefox users will get a warning on the StartSSL certificate.

Works fine on IE and Chrome though.

great thanks :)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact