Hacker News new | ask | show | jobs
by sexmonad 4456 days ago
StartSSL's default usage mode is to generate private keys on their website. Yet another horribly insecure system.

I'd much rather that people used self-signed certs (and browsers had certificate pinning) by default, and could then step up to real CA certificates. Self-signed certs provide almost the same amount of trust that StartCom does.
1 comments
kmac_ 4455 days ago
> StartSSL's default usage mode is to generate private keys on their website.

No. AFAIR they use HTML5 <keygen> tag to generate key pair.

link
drdaeman 4455 days ago
That's for personal (client) certificates.

For server certificates, unless you supply the CSR by yourself by skipping a step (IIRC, you're softly encouraged to do so), they generate the key server-side and send it to you back. They even have a FAQ entries (##43,44, although their site is down ATM, so Google for a cached copy) about that.

link
kmac_ 4455 days ago
You're right, I've mixed up things.
link