Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Why isn't there an easy to issue Free SSL CA?
2 points by willtheperson on Sept 11, 2012 | hide | past | favorite | 9 comments
Where is the SSL Certification Authority that is issuing SSL certificates that are trusted by all browsers without a yearly fee?

It's bad enough that startups differentiate pricing tiers with SSL, why do we make it so user un-friendly to secure their visit?



http://www.startssl.com/

They've been doing it for years. So long as you get the intermediate CA cert installed on the server, their free certs seem to work fine in as near as practical "all browsers".


Do you have personal experience in using startssl? What are the limitations with its free version? Looking to use an SSL certificate on my website to use it within facebook app.


No real limitations at all. They're genuine SSL/TLS certs, the "trick" is that they're only validated by checking you can receive mail at an email address at the domain in question, so while the encryption "works" - you don't get much assurance of "authentication" from them. If I can somehow read mail sent to a prashantmukesh.com email address, I'll be able to convince StartSSL to issue me an SSL cert for it... This is mostly why this isn't such a good idea... It also doesn't really matter, from the point of view of apps requiring https connection - even apps/apis smart enough to check certs and their issuing authorities aren't going to know the difference between an SSL cert that required a Dun & Bradstreet check to acquire and one that only needed access to a webmaster@example.com email account.


But that's my point really. Why does the site's owner need to be verified at all?

I believe we should have a SSL cert that only enforces the encryption but makes no claims about the server's owner or that any transaction is guaranteed up to a specific dollar amount.

I know you can self sign, but when the browser shows the user the site is self signed, they get nervous. Conversely, I could get a minimal identification req SSL cert from Godaddy that doesn't alert the user, but I have to pay at least $15 for that right.

My main issue or question is why SSL is paired with COMPANY/PERSON identification? Why do I rely on the CA to verify a company is real? Why aren't there 2 elements. One is encryption, one is identification. Encryption is free to implement with no warnings in the browser. ID can cost money to pay for the verification process.

Thoughts?


"Hello, I'm the target server; definitely not a MITM attacker, no way, not at all." Without identification, this is as good as sending the data in plaintext - for all you know, you may be communicating with a hostile proxy.


Ahh, good point. I wasn't clear.

By not requiring ID, I meant Company name, state, city, etc.

I'm realizing that what I'm wanting is to split the SSL cert into 2 aspects. One provides security and endpoint verification. The other verifies the actual person/company and potentially insures that any losses will be covered. It seems like this is pretty much the idea of an EV cert (more verbose entity ownership) but that costs a ton.

I don't know about you, but I don't use the SSL cert to verify the legitimacy of a company. I do ensure it's there when sending sensitive information though.


One of the only CAs with reasonable prices for EV certs.


TANSTAAFL; moreover, Crypto Is Hard.

It follows that you can get at best two out of these three: Free, Secure, Easy.


How would you verify identity in a free but reliable manner ?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: