Hacker News new | past | comments | ask | show | jobs | submit login

I was involved in this launch and I want to address a very common misconception I'm seeing here and elsewhere.

Some webmasters say they have "just a content site", like a blog, and that doesn't need to be secured. That misses out two immediate benefits you get as a site owner:

1. Data integrity: only by serving securely can you guarantee that someone is not altering how your content is received by your users. How many times have you accessed a site on an open network or from a hotel and got unexpected ads? This is a very visible manifestation of the issue, but it can be much more subtle.

2. Authentication: How can users trust that the site is really the one it says it is? Imagine you're a content site that gives financial or medical advice. If I operated such a site, I'd really want to tell my readers that the advice they're reading is genuinely mine and not someone else pretending to be me.

On top of these, your users get obvious (and not-so-obvious) benefits. Myself and fellow Googler and HNer Ilya Grigorik did a talk at Google I/O a few weeks ago that talks about these and a lot more in great detail:

https://www.youtube.com/watch?v=cBhZ6S0PFCY




So Google's position is that SSL is such a high priority for content sites that they will officially incite a mad scramble for every content site on the planet from big media companies to hobby blogs to secure their page behind https to keep their ranking, but yet doesn't see anything wrong with the fact that every Blogger blog and even the Google Online Security Blog that it is announced on, is insecure. Nice.


"A journey of a thousand miles begins with a single step"


In my country, the cost of a SSL certificate is around 60% of my hosting costs, per year. I run a low-traffic blog with comments disabled, so users do not "interact" with the site in any way - except consume the content. I don't see any benefit from this.



StartSSL is pretty harmful as evidenced by the events after Heartbleed. The certificates are free but they charge you to revoke them, and after we found out about Heartbleed and realized a lot of those free certs were compromised a lot of people refused to pay up for their free keys and continue using the compromised ones. What's more is that StartSSL refused to do the right thing and revoke them, leading a lot of folks to even go as far as petitioning to remove StartSSL from Firefox's Certificate Authorities because any given site using their free certs could be compromised. [0]

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744027


Erm... Heartbleed has absolutely nothing to do with what version of OpenSSL you use to generate the cert.


No, but if your SSL certificate has been exposed by Heartbleed, it would be sensible to revoke that certificate to prevent potential spoofing attacks, wouldn't it?

StartSSL charge you for revoking that exposed certificate, so your choices are you pay for the revocation, or wait until the certificate expires.


In there defence this their treatment of revocation requests is made quite plain in their policies, and any heartbleed exposure was not their fault (their signing certs were not affected IIRC).

Now if there had been a problem with their signing certificates then I would have expected them to revoke anything affected for free and offer replacements similarly at no cost.

OK, they could have done that anyway (or perhaps offered a discount on the revoke charge) as an good will gesture, but they didn't, so what.


Leaving aside the question of whether their response was reasonable (I see the arguments either way), it turned out that using their service to secure your website was not free.


> it turned out that using their service to secure your website was not free

All they claim is to provide free certificates for non-commercial use, and that they do provide. If people read something else into that it isn't because they were deliberately led to.

Though many people picking up a cert without really knowing the infrastructure won't know about revocation infrastructure and such so might have mislead themselves by having not read the Ts&Csm.


actually, what i think is.. they're as near 'free' as it gets, probably. at least there's no up front cost using them. then its a lottery as to when u need to pay them to revoke... it could still end up cheaper than paying yearly fees for other certs, i imagine.. total cost of ownership or something..


You're right, so I fixed my post. What I meant was that my particular cert wasn't compromised. Either way, the StartSSL/Heartbleed fiasco is a real thing and I've added a link to the original discussion I was citing.


Cheers HN for downvoting a factually correct statement because the parent post got edited after I pointed out an error...


Do any current browsers even correctly support CRLs?


I see the benefits but I have to agree. This is a very real barrier to entry, and not just financially. Making SSL a global standard is just one more thing new web developers have to appreciate.


Get a free cert instead?


Free certificates tend to result in ugly warning messages in browsers …

Cheap certificates are available, however, they are still not for free. And hosting more than one domain with SSL is a problem too with most hosting providers if you do not want to book additional hostings.


> Free certificates tend to result in ugly warning messages in browsers

StartSSL is free, and as long as you correctly bundle the intermediate cert (something you have to do with many, many other CA's anyway) your SSL will look no different than a $100+/year one from an A-list provider.


Another advantage to we masters with money … why?

SSL does not come cheap. Certificates have become cheap but you need your own IP, i.e., shared hosting is a problem and hosting becomes more expensive. Certificate sellers, hosters etc. on the other hand are certainly happy about these new business opportunities – although we all know that SSL is inherently broken.

OK, probably still better than nothing! :)


> but you need your own IP

Not anymore, unless you need to support antiquities like IE7 on Windows XP or some ancient Java-based software. SNI works just fine in other cases.


OK, good to know – although there are apparently still some restrictions according to comments by other HN users.

SSL is still more expensive, though. For most small content websites (< 500-1000 visitors a day), a shared hosting is sufficient with costs of maybe around 100 USD/year. For SSL, you usually need a more expensive hosting, you have to buy a certificate (OK, available for less than 10 USD if you don't care about it's quality but need mainly browser support without an ugly warning window) and most hosters allow SSL only for one domain in a hosting.

Example:

Shared hosting with 4 WordPress blogs, SSL is active but only to access the control panel since the hoster allows SSL only for one domain. Costs incl. a cheap SSL certificate: 110 USD/year.

All 4 WordPress blogs with SSL, i.e., 4 shared hostings plus 4 cheap SSL certificates: 440 USD/year.

(And caching with a Wordpress plugin is probably no longer possible …)


StartSSL is 0 USD/year. There should be more providers like them, and if the barriers to entry ($$$$) weren't so insurmountable, I'd happily start one myself. But they do a good job, and I've used several free certs from them with no issues.

https://www.startssl.com/?app=1

You also don't need "expensive" hosting, it just needs to support SSL which is free from a technical perspective. You no longer need a dedicated IP either.


> available for less than 10 USD if you don't care about it's quality

A cert with a larger key is better than one with a smaller key, but other than that, what's the "quality" of a SSL certificate?


PositiveSSL Multi-Domain certs allow enterprises and web hosts to secure multiple websites by including up to 100 domains within a single certificate.

$29.88/year.


Link? The numbers I see for this service are:

"Base certificate costs $165.00 for three domains"

"After the third domain, each additional domain costs just $45.00"

http://www.positivessl.com/multi_domain_ssl_certificate.php



That's only for 3 domains, not 100. 3 domains at $30/year is $10/year/domain which is no different than buying individual certs.

The multidomain cert supports up to 100 domains, but the cost is $29.88/year for the first 3 included, plus an additional $12.88/year for each additional domain.

Under this price structure, you could have 100 domains covered with one certificate, but it would cost you $1,279.24 per year for that single certificate.


That's only for 3 domains, not 100.

Nobody said otherwise.

3 domains at $30/year is $10/year/domain which is no different than buying individual certs.

The problem was that shared hosting plans didn't support multiple certs, forcing people with a few sites to purchase a plan for each. The multidomain cert solves this problem.


Thanks!


> a shared hosting is sufficient with costs of maybe around 100 USD/year

Galopping gargoyles, where do you host that shared costs you $100? A small VPS costs half.


The shortage of IPv4 addresses and the horribly slow adoption of IPv6 is a big issue.

SNI works fine, but when it doesn't it fails horribly. Apache defaults to the first vhost on an IP which can result in non-SNI clients being redirected to the wrong site.

As for XP/IE7 usage, I have a client in an aerospace related industry with most of their customers still on XP/IE7.


Check your own stats before you assume you don't still have Win XP/IE users. I have quite a few.


Here's a list of browsers that support it...

http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers...


Except with the most popular version of Python


Works fine if you use requests, or any other HTTP library which hasn't been left to rot like the one in the 2.x stdlib.


Out of the box, requests on Python2.7 doesn't support SNI.

It is documented, and all you have to do is install additional packages to enable it, but still, that's not automatic.


It will be available in the future maintenance release http://legacy.python.org/dev/peps/pep-0466/


I think it would be much nicer if the browser vendors started pushing for DANE + DNSSEC.

Together, they are a quite neat combo and we wouldn't have to pay for certificates anymore.


And emails too then, no ?

Lot of critical information is still transmitted through emails.


I am more than happy to migrate my site to https and I took a two days to watch your youtube video to ensure i do not miss anything

But I got one very valid concern. Most websites running some kind of affiliate links and banners. Most of the affiliate links and banners is not on the https platform. This will cause mixed content error message by the browser. First, is using protocol relative urls solve this mixed content error issue? Second, can the non-https affiliate links and banners work correctly(tracking etc) on https website?

I am sure this is the one big hurdle need to be addressed or else more than 50% of the websites in existence will have difficulty to migrate.


Hey Pierre,

Quick question. Is the type of certificate also a signal? i.e. self-signed vs plain vs EV?


I assume self-signed will be treat as having no certificate at all, if the reason for the difference in ranking is that a certificate implies the user will more definitely read what the server sends, as a self-signed certificate protected site is just as easy to MitM as one without a certificate at all.


Self-signed is worse than not having one. Don't do that.


Please stop spreading this lie. It's been debunked many, many times. Just because something doesn't provide 100% security doesn't mean you should give up and use nothing.

Once again, self-signed SSL raises the cost of an attack from "basically free" passive monitoring to a much more expensive[1] MitM attack. It's a travesty that apache doesn't simply auto-create a self-signed certificate if it doesn't have one so plain HTTP can be retired forever.

Note: this is about transport security, and the UI presented should not suggest any kind of authentication has been achieved. In firefox, this means not showing the "locked padlock" and other changes usually associated with SSL.

So please, stop undermining the security of the web. We could have been all-HTTPS a long time ago if this nonsense wasn't brought up each time.

[1] and hard to use against everybody simultaneously


Why? The crypto is just as strong with a self-signed cert as a "name brand" cert. The only downside is teaching users to ignore SSL errors, which is bad.


The crypto strength of a self-signed cert is irrelevant because a MITM can generate their own self-signed cert with the your website's name.


Right, so you have to verify the certificate through some "out of band" (relative to the browswer) mechanism.


I mean, I understand their argument against it, but I think this is one of those cases where the pros definitely out-weigh the cons, this is great.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: