Go Back   English Forum Switzerland > Help & tips > TV/internet/telephone
Reply
 
Thread Tools Display Modes
  #1  
Old 28.01.2015, 11:38
defcon3's Avatar
Senior Member
 
Join Date: Jul 2008
Location: Geneva
Posts: 443
Groaned at 3 Times in 3 Posts
Thanked 352 Times in 134 Posts
defcon3 has an excellent reputationdefcon3 has an excellent reputationdefcon3 has an excellent reputationdefcon3 has an excellent reputation
Free SSL certificate - what is the catch?

I am closely following the progress of the EFF-backed initiative which is due to land sometime in summer of 2015, which will deliver free of charge SSL certificates. To me it would be THE service to use.

As any other geek, patience is not one of my virtues and I have dug out this StartSSL Free offering. All good and clear, the only fees associated with the offer are in case you either a) upgrade to one of the paid plans or b) have it revoked.

And here comes my question - imagine I get one of them StartSSL. And then six months later, if I decide to switch to the EFF/Cisco one for my domain, would I be obliged/forced to resign/revoke the StartSSL? Can I simply abandon it and discontinue use in favor of the new one?

Thanks for sharing your wisdom and experience.
Reply With Quote
  #2  
Old 28.01.2015, 11:51
Forum Veteran
 
Join Date: May 2013
Location: Nyon
Posts: 1,827
Groaned at 61 Times in 33 Posts
Thanked 2,125 Times in 833 Posts
John_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond repute
Re: Free SSL certificate - what is the catch?

You should be able to abandon it without issues for you. But i get if somebody had saved/trusted the old one it could annoy them?
Reply With Quote
  #3  
Old 28.01.2015, 12:20
defcon3's Avatar
Senior Member
 
Join Date: Jul 2008
Location: Geneva
Posts: 443
Groaned at 3 Times in 3 Posts
Thanked 352 Times in 134 Posts
defcon3 has an excellent reputationdefcon3 has an excellent reputationdefcon3 has an excellent reputationdefcon3 has an excellent reputation
Re: Free SSL certificate - what is the catch?

Quote:
View Post
You should be able to abandon it without issues for you. But i get if somebody had saved/trusted the old one it could annoy them?
I am the standby support for families up and down the chain on both sides, we're talking of a family blog here, total readership: <100 people
Reply With Quote
  #4  
Old 28.01.2015, 12:25
Phil_MCR's Avatar
Forum Legend
 
Join Date: Oct 2009
Location: Basel
Posts: 11,484
Groaned at 246 Times in 157 Posts
Thanked 13,338 Times in 5,682 Posts
Phil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond reputePhil_MCR has a reputation beyond repute
Re: Free SSL certificate - what is the catch?

You can abandon it. For something with limited readership it may also be feasible to create your own CA and import your CA certificate in the devices that need access.
Reply With Quote
  #5  
Old 28.01.2015, 12:25
Forum Veteran
 
Join Date: May 2013
Location: Nyon
Posts: 1,827
Groaned at 61 Times in 33 Posts
Thanked 2,125 Times in 833 Posts
John_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond reputeJohn_H has a reputation beyond repute
Re: Free SSL certificate - what is the catch?

Quote:
View Post
I am the standby support for families up and down the chain on both sides, we're talking of a family blog here, total readership: <100 people
I think it would be fine to abandon/replace. I think there would only be a problem if somebody was using the cert for something special.

People reading a blog don't even know they are using a cert, the browser checks that the cert is from a valid provider, it matches the domain and it hasn't expired.. If that's all good nothing happens, if it's bad it throws a warning to the user and asks if they really want to continue.
Reply With Quote
  #6  
Old 28.01.2015, 13:17
zerogre's Avatar
Senior Member
 
Join Date: Aug 2011
Location: London
Posts: 365
Groaned at 3 Times in 3 Posts
Thanked 230 Times in 119 Posts
zerogre is considered knowledgeablezerogre is considered knowledgeablezerogre is considered knowledgeable
Re: Free SSL certificate - what is the catch?

(Caveat: Been absolutely forever since I've done cert work, so this advice may be on the "mildly" to "wildly" incorrect side; use at your own peril.)

"Roll your own" snake-oil certs (i.e. - Self-signed) can be easy to spin up, but people reading the blog will get all sorts of errors about the cert being invalid, unless you ALSO take your public key used to create the cert (i.e. - your new "root cert") and have your family import it into their trusted keyrings; not exactly a trivial task.

I would stick with abandon/create new one. Part of the PKI infra that the certs use *should* check the PKI issuing root server for revocation as that's one of the fields in the certificate issued, so the certs become self-maintaining.

Hope that makes sense.
__________________
The nearest thing to eternal life we will ever see on this Earth is a government program.
Reply With Quote
The following 2 users would like to thank zerogre for this useful post:
  #7  
Old 28.01.2015, 14:15
me.anon's Avatar
Forum Veteran
 
Join Date: Jan 2012
Location: thun
Posts: 1,452
Groaned at 22 Times in 16 Posts
Thanked 1,764 Times in 869 Posts
me.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond reputeme.anon has a reputation beyond repute
Re: Free SSL certificate - what is the catch?

I don't see how this is going to work. The main certificate providers have to charge at the moment because (a) they have to verify the identity of the certificate purchaser (not simply anyone can order a telebanking.ubs.ch certificate) and (b) they have to pay Microsoft, Samsung, Apple etc. to have their root certificate installed by default in their browsers/devices.

Only if there is a new class of certificate where the primary purpose is encryption but not verification of the server, could this work. But then, the communication channel would be open to attack (man in the middle etc.)
__________________
If you have difficulties with a post which contains a link to a site in one of the Swiss languages, use Google Translate or your own favourite translating browser.
Reply With Quote
  #8  
Old 28.01.2015, 15:01
speakeron's Avatar
Forum Veteran
 
Join Date: Mar 2012
Location: Basel
Posts: 728
Groaned at 24 Times in 17 Posts
Thanked 645 Times in 319 Posts
speakeron has a reputation beyond reputespeakeron has a reputation beyond reputespeakeron has a reputation beyond reputespeakeron has a reputation beyond repute
Re: Free SSL certificate - what is the catch?

Quote:
View Post
I don't see how this is going to work. The main certificate providers have to charge at the moment because (a) they have to verify the identity of the certificate purchaser (not simply anyone can order a telebanking.ubs.ch certificate) and (b) they have to pay Microsoft, Samsung, Apple etc. to have their root certificate installed by default in their browsers/devices.

Only if there is a new class of certificate where the primary purpose is encryption but not verification of the server, could this work. But then, the communication channel would be open to attack (man in the middle etc.)
Free certs are usually of the 'domain validated' type. With these, the only validation is normally an email to the domain owner - there are no other checks and thus plenty of opportunity for devious practices.

Companies like UBS would use EV (extended validation) which requires much more extensive validation of the company owner. (These are the certs where you see the company name next to the URL).

The free certs are really for small-scale non-commercial uses.
Reply With Quote
  #9  
Old 28.01.2015, 15:10
marton's Avatar
Forum Legend
 
Join Date: May 2008
Location: Zürich
Posts: 7,521
Groaned at 164 Times in 139 Posts
Thanked 8,546 Times in 4,682 Posts
marton has a reputation beyond reputemarton has a reputation beyond reputemarton has a reputation beyond reputemarton has a reputation beyond reputemarton has a reputation beyond reputemarton has a reputation beyond repute
Re: Free SSL certificate - what is the catch?

I bought a godaddy SSL certificate for 2 years for US$ 12; at that price it was not worth chasing around for free ones.
I installed it myself so that did not cost anything
Reply With Quote
  #10  
Old 28.01.2015, 15:28
zerogre's Avatar
Senior Member
 
Join Date: Aug 2011
Location: London
Posts: 365
Groaned at 3 Times in 3 Posts
Thanked 230 Times in 119 Posts
zerogre is considered knowledgeablezerogre is considered knowledgeablezerogre is considered knowledgeable
Re: Free SSL certificate - what is the catch?

Quote:
View Post
I bought a godaddy SSL certificate for 2 years for US$ 12; at that price it was not worth chasing around for free ones.
I installed it myself so that did not cost anything
The upshot of this approach is, of course, that GoDaddy is a known and reputable Issuer, so their root cert is installed by default on most, if not all, browsers, leading to fewer family issues

$12 well spent, I would say.. My own time/money is worth way more to me than that in terms of deployment/maintenance.
Reply With Quote
This user would like to thank zerogre for this useful post:
  #11  
Old 28.01.2015, 16:24
marton's Avatar
Forum Legend
 
Join Date: May 2008
Location: Zürich
Posts: 7,521
Groaned at 164 Times in 139 Posts
Thanked 8,546 Times in 4,682 Posts
marton has a reputation beyond reputemarton has a reputation beyond reputemarton has a reputation beyond reputemarton has a reputation beyond reputemarton has a reputation beyond reputemarton has a reputation beyond repute
Re: Free SSL certificate - what is the catch?

Karma
I just got an email from godaddy offering me a 2 year renewal for US $139
Reply With Quote
This user would like to thank marton for this useful post:
  #12  
Old 28.01.2015, 16:25
defcon3's Avatar
Senior Member
 
Join Date: Jul 2008
Location: Geneva
Posts: 443
Groaned at 3 Times in 3 Posts
Thanked 352 Times in 134 Posts
defcon3 has an excellent reputationdefcon3 has an excellent reputationdefcon3 has an excellent reputationdefcon3 has an excellent reputation
Re: Free SSL certificate - what is the catch?

Thing is - the majority of SSL out there start at $49/yr - I will wait for one of them deals, $12/24months or just the release of the free EFF initiative.
Reply With Quote
  #13  
Old 28.01.2015, 22:41
Forum Veteran
 
Join Date: Apr 2008
Location: Zurich
Posts: 2,462
Groaned at 50 Times in 31 Posts
Thanked 2,232 Times in 1,226 Posts
rainer_d has a reputation beyond reputerainer_d has a reputation beyond reputerainer_d has a reputation beyond reputerainer_d has a reputation beyond reputerainer_d has a reputation beyond repute
Re: Free SSL certificate - what is the catch?

Quote:
View Post
I don't see how this is going to work. The main certificate providers have to charge at the moment because (a) they have to verify the identity of the certificate purchaser (not simply anyone can order a telebanking.ubs.ch certificate) and (b) they have to pay Microsoft, Samsung, Apple etc. to have their root certificate installed by default in their browsers/devices.

Only if there is a new class of certificate where the primary purpose is encryption but not verification of the server, could this work. But then, the communication channel would be open to attack (man in the middle etc.)
Certifying your PKI infrastructure fulfills the CAB-forum requirements so that browser-"vendors" actually consider taking on-board your root-certificate is in the 50-100k € ballpark. And has to be done almost yearly (fifteen months or so).

That is what I presumed to be the highest cost - besides staff, of course, which you would need to run the CA according to said requirements.
But once you've earned those fixed costs, it's like minting money. Your customers basically pay for a few KB worth of data. Cryptographically signed data.

Also, contrary to popular believe, not all browsers check for revoked certificates.
Chrome has stopped doing so, because it increases loading-time for sites and confuses people if the servers answering these checks aren't available (and as a result, the site they wanted to visit refuses to load).
Don't know about Firefox, Safari (well, Safari seems to have it set to "best effort" by default, whatever that would mean in practice...), IE.
Reply With Quote
This user would like to thank rainer_d for this useful post:
  #14  
Old 29.01.2015, 20:38
Jim2007's Avatar
Forum Veteran
 
Join Date: Jun 2006
Location: Kt. Bern
Posts: 2,087
Groaned at 34 Times in 32 Posts
Thanked 2,069 Times in 1,057 Posts
Jim2007 has a reputation beyond reputeJim2007 has a reputation beyond reputeJim2007 has a reputation beyond reputeJim2007 has a reputation beyond reputeJim2007 has a reputation beyond repute
Re: Free SSL certificate - what is the catch?

Quote:
View Post
As any other geek, patience is not one of my virtues and I have dug out this StartSSL Free offering. All good and clear, the only fees associated with the offer are in case you either a) upgrade to one of the paid plans or b) have it revoked.
I have used StartSSL in the past for various code signing and SSL certs in the past an I was happy with the service I received.
Reply With Quote
This user would like to thank Jim2007 for this useful post:
  #15  
Old 29.01.2015, 21:33
monkeyboy76's Avatar
Senior Member
 
Join Date: Apr 2008
Location: Luzern
Posts: 263
Groaned at 4 Times in 1 Post
Thanked 139 Times in 71 Posts
monkeyboy76 has earned some respectmonkeyboy76 has earned some respect
Re: Free SSL certificate - what is the catch?

I have also been using StartSSL [1] for a number of years on my personal blog site. It was simple to set up and have been very happy with them.

When the heartbleed bug [2] was discovered, I wanted to request a new certificate, but StartSSL would not issue a second certificate without revoking my old one first which costs money as you mentioned, so I decided at the time that the value held in my site was less than the $60,- they wanted to charge.

As for the question about just discarding the Start SSL certificate and getting one from the EFF process, you should have no problem with that. Although having said that I seem to remember hearing something that the EFF idea will start registering certificates in a central database and you will need to know the passkey used when creating the last certificate to request a new replacement certificates.

The only other issue you may have with StartSSLs free class 1 certificate is that it will only match one domain name, i.e. blog.mydomain.ch and your domain name, mydomain.ch in the certificate, which is fine if people hit either of those URLs, but if you wanted to also run something using www.mydomain.ch on the same server, this would give your users warning messages.

One thing that you might like to look at too, is a service available from SSL labs [3]. You put your domain name into their site and they run a number of checks against your webserver looking for any weakness or misconfigurations in the certificate. With the free class 1 certificate from StartSSL I was still able to achieve an A grade there.



[1] https://www.startssl.com/?app=1
[2] http://heartbleed.com/
[3] https://www.ssllabs.com/

Last edited by monkeyboy76; 29.01.2015 at 21:35. Reason: typo
Reply With Quote
This user would like to thank monkeyboy76 for this useful post:
  #16  
Old 05.02.2015, 15:16
Newbie
 
Join Date: Jan 2012
Location: St. Gallen
Posts: 8
Groaned at 1 Time in 1 Post
Thanked 6 Times in 3 Posts
semanmar has no particular reputation at present
Re: Free SSL certificate - what is the catch?

you can abandon anytime you want. I had cert from them some time ago, but switched to godaddy/rapidssl. It's just a few bucks per year and much more flexibility
Reply With Quote
This user would like to thank semanmar for this useful post:
Reply

Tags
free certificate, https, ssl




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
20% returns and (almost) no risk - what's the catch? FrankZappa Finance/banking/taxation 64 23.04.2014 15:22
What's the catch with this laptop, i3 processor for 555 CHF? V__ TV/internet/telephone 9 29.01.2011 18:01
certificate of the residence/ confirmation of local tax authority - What is it? FiercelyFuzzy Finance/banking/taxation 0 04.11.2010 13:54
What's the catch? icgrp Employment 44 09.05.2010 10:17
What is a 'technical control certificate'? GenevaCamper Transportation/driving 7 17.10.2009 16:59


All times are GMT +2. The time now is 18:13.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.1.0