This Time Self-Hosted
dark mode light mode Search

Hunting for a SSL certificate

So, in the previous chapter of my personal current odyssey I noted that I was looking into SSL certificates; last time I wrote something about it I was looking into using CACert to provide a few certificates around. But CACert has one nasty issue for me: not only it’s not supported out of the box by any browser, but also I have failed up to now to find a way to get Chromium (my browser of choice) to accept it, which doesn’t make it better than the self-signed certificates for most of my aims.

Now, back at that time, Owen suggested me to look into StartSSL which is supported out of the box by most if not all the drivers out there, and supports free Class 1 certificates. Unfortunately Class 1 certificates don’t allow for SNI or wildcard certificates, which I would have liked to have, as I have a number of vhosts on this server. On the other hand, the Class 2 (which does provide that kind of information) has an affordable price ($50), so I wouldn’t have minded confirming my personal details to achieve that. The problem is that to get the validation, I need to send a scan of two IDs with a photo, and I only got one. I guess I’ll finally have to get a passport.

As a positive note for them, StartSSL actually replied to my tweet-rant suggesting I could use my birth certificate as secondary ID for validation. I guess this is easier to procure in the United States – at least judging from the kind of reverence Americans have of them – here I’d sincerely like to not bother going to look for it, especially because, as it is, my birth certificate does not report my full name directly (I legally changed it a few years ago if you remember), but as an amendment.

There are, though, a few other problems that shown up while using StartSSL; the first problem is that it doesn’t allow you to use Chrome (or Chromium) to handle registration because of troubles with client-side certificates. Another problem is that the verification for domain access is not based on the DNS hosting, but just on mail addresses: you verify the domain foo by receiving an email directed to webmaster@foo (or other email addresses, both standard and taken from the domain’s WhoIs record). While it’s relatively secure, it only works if the domain can receive email, and only seem to work to verify second level domains.

Using the kind of verification that Google uses to verify domains would make it much nicer to verify domain ownership, and works with subdomains as well as domains that lack email entirely. For those who don’t know how the Google domain verification works, they provide you with the name of a CNAME you have to add to your domain and point it to “google.com”; since the CNAME they tell you to set up is created with a hash of your account name and the domain itself, they can ensure that you have access to the domain configuration and thus to the domain itself. I guess the problem here is just that it takes much more time for DNS to propagate than it takes an email to arrive, and have a fast way to create a new certificate is definitely a good thing of StartSSL.

At any rate, I got a couple of certificates this way, so I finally don’t get Chrome’s warnings because of invalid certificates when I access this computer’s Transmission web interface (which I secure through an Apache reverse proxy). And I also took the time to finally secure xine’s Bugzilla with an SSL connection and certificate.

Thanks Owen, thanks StartSSL!

Comments 6
  1. Yeah I tried the manual nss tools, but the result has been pretty bad nonetheless.

  2. Due to the lovely end to end nature of IPv6 IPSec may also have been a possibility for securing that Transmission web interface. The main downside of an IPSec implementation would have been that only Flameeye controlled hosts would be able to connect due to barrier of configuring IPSec with your Shared Key or certificate authentication.

  3. Yeah I considered that, but the main reason why I use simple Apache proxy is that this way I can actually control it through my phone while I’m not home 🙂

  4. The E-Mail validation is mandated by the CA/Browser forum, as is the acceptable E-Mail list (Up until recently as weird addresses as ssladmin@ were accepted… posing somewhat of a security issue with regards to webmail providers – the acceptable list is now fixed and rather small). If you wish them to consider alternative options, then you are probably best proposing it first to the Mozilla security policy list (since everyone seems to use Mozilla’s NSS)Of course, there is somewhat a difference here: Often people are setting up Google Apps to set up E-Mail services, while people setting up SSL presumably have valid addresses in their whois records 😉

  5. The class 2’s are $50 for 2 years even, not bad. I may try the class 1 even though I currently use a wildcard mainly because I only have a small number of sites that I *need* secured.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.