undefined | Better HN

0 pointssomesay12y ago0 comments

Just another guy who talks about SSL without knowing the basics. I don't know what annoys me more: Someone how completely ignores cryptology and its security features or these guys who have such a dangerously low knowledge that they spread bullshit the whole day.

In fact, you don't have to trust StartSSL at all. They securely give you a valid cert while you don't have to reveal your private key at any time. Your private key is either generated manually on your sever by yourself or within the browser, on client side.

The important points are: StartSSL is trusted by all modern browsers and systems and they are cheap. There is nothing more to care about. In fact, _any_ trusted CA could be attacked and generate certs for man-in-the-middle attacks.

So, stop your stupid prejudice here. Actually, a CA from the Netherlands got known for being corrupted some years ago.

0 comments

3 comments · 1 top-level

phaet0n12y ago· 2 in thread

You are absolutely right that I didn't have to reveal my "prejudice" here.

For that I apologize.

However, you are mistaken that I don't have to trust StartSSL, or any CA at all. In requesting a certificate, I am siginalling that I require a method by which an unknown party can reasonably verify that they are indeed dealing with me. If I am already well known, and a target of attack, it doesn't matter which CA I deal with, every one is potential source of vulnerability. However, if I am not broadly known, and seeking out deals on certificates, and not investing in an EV certificate (why just get a padlock, get the snazzy green bar!), what exactly is the purpose of me investing in a certificate? Well, you're paying for your customers to have faith that whatever faith they have in you is not misplaced, or more precisely no bad guys will get their credit card number which they are sending to you, along with their personal details.

This whole idea behind SSL, https, and ultimately DNS is a broken. And yes, my response was naive enough to be read naively. For that I'm sorry. But this particular post is probably not the place to discuss these shortcomings...

somesayOP12y ago

As you said, the hierarchical system is somehow broken. You are just paying to get a cert that is trusted by the browser and therefore looks fine for the user. Also you get some insurance thing and maybe a nice button to place in your web shop. That's all. The main point is using some encryption without throwing a warning message and gain some level of security.

Also, the "potential source of vulnerability" has nothing to do with how big you are.

SSL is as save as the CA list used by the browser is. It really doesn't matter which CA you actually choose then.

phaet0n12y ago

> SSL is as save as the CA list used by the browser is. It really doesn't matter which CA you actually choose then.

Which is why a _comprehensive_ history of when, how, and why CA root certs were added to various browsers, and the politicking behind it, would be quite illuminating.

Recall it was only around 2000 when the US relaxed export restrictions somewhat on cryptographic software. [1] So given that sensitive fact, the policy, and architecture of systems such as browser security should be questioned, especially because a select few are making essentially free money selling green address bars.

[1] http://en.wikipedia.org/wiki/Key_size#Symmetric_algorithm_ke...

j / k navigate · click thread line to collapse