|
|
|
|
|
|
by somesay
4724 days ago
|
|
|
Just another guy who talks about SSL without knowing the basics. I don't know what annoys me more: Someone how completely ignores cryptology and its security features or these guys who have such a dangerously low knowledge that they spread bullshit the whole day. In fact, you don't have to trust StartSSL at all. They securely give you a valid cert while you don't have to reveal your private key at any time. Your private key is either generated manually on your sever by yourself or within the browser, on client side. The important points are: StartSSL is trusted by all modern browsers and systems and they are cheap. There is nothing more to care about. In fact, _any_ trusted CA could be attacked and generate certs for man-in-the-middle attacks. So, stop your stupid prejudice here. Actually, a CA from the Netherlands got known for being corrupted some years ago. |
|
|
For that I apologize.
However, you are mistaken that I don't have to trust StartSSL, or any CA at all. In requesting a certificate, I am siginalling that I require a method by which an unknown party can reasonably verify that they are indeed dealing with me. If I am already well known, and a target of attack, it doesn't matter which CA I deal with, every one is potential source of vulnerability. However, if I am not broadly known, and seeking out deals on certificates, and not investing in an EV certificate (why just get a padlock, get the snazzy green bar!), what exactly is the purpose of me investing in a certificate? Well, you're paying for your customers to have faith that whatever faith they have in you is not misplaced, or more precisely no bad guys will get their credit card number which they are sending to you, along with their personal details.
This whole idea behind SSL, https, and ultimately DNS is a broken. And yes, my response was naive enough to be read naively. For that I'm sorry. But this particular post is probably not the place to discuss these shortcomings...