|
Hey everyone, I am deciding whether to go ahead and build Silo (http://getsilo.com), a little web app which safeguards SSL certificates. The idea came about after I ran into the following annoying, yet easily avoidable problems: 1. Real - I make some changes to a client's web server and restart apache. Apache demanded a pass phrase for a SSL certificate on one of the domains. I don't know it. Without it apache won't start, meaning all websites are offline. The regular sysadmin is away. I email / phone anyone who might know this key but as expected no one knows. A panic vhost disable of the SSL domain, and all websites are back up except the secure one which is down. More panic server changes to setup a self signed SSL certificate. Then I go through the process of buying a new SSL certificate. Time lost, money spent, website glitches, and unhappy visitors complaining when their browsers say the website is not secure. All because of an unknown pass phrase. 2. Real - A visitor emails expressing their concern that their browser is telling them that our e-commerce website is insecure. I take a look and see that the SSL certificate has expired. I buy a new one and go through the process of verifying domain ownership. E-commerce website looses customers, and therefore sales, for 2 days till the new certificate is active. 3. Hypothetical (hasn't happened to me) - The web server dies and there are no backups of the SSL certificate, private, public keys, chain and vhost config. I now need to go back to the various companies that sold the certificates, login to their management areas, download the certificates and go through the process of getting the SSL certificates setup correctly using their various setup guides and documentation (often a somewhat trial and error process). Silo would store your SSL certificates, keys, chain files, pass phrases, and send out SSL renewal reminders to solve these three problems. From my own experience I know this product would of saved me time, money, and stress. I am interested to hear if anyone has had similar problems, whether people 'get' the idea of Silo, and finally would be willing to pay for this simple product (pricing at http://getsilo.com/plans). Many thanks for your time,
Ollie Rattue |
My #1 concern is trust. Would a webdesign agency really trust all their SSL certs to Silo for $50/yr? Centralising that number of SSL certs at an random online service seems a little insecure. I'd probably prefer a truecrypt-encrypted USB key, or an encrypted volume of dropbox/whatever or something like that.
I wonder if there's a business here in just the SSL expiry notifications? It seems a common problem which is theoretically solved by Google Calendar but obviously no one actually thinks of a general tool for the specific purposes of reminding them about expiry dates.