[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 08/04/14 19:39, Simon Waters wrote: > On 08/04/14 15:47, bad apple wrote: >> >> To obtain your SSL cert, ignore anyone who might suggest using a >> freebie, but recognised by most default browser CA stores, cert from >> people such as startssl.com. These are all guaranteed to be escrowed to >> agencies for your protection (google away if you like, startssl are an >> Israeli outfit long suspected of Mossad/NSA collusion). > > In defence of StartSSL there is surprisingly little up-sell. > > Whilst if anyone is going to manipulate a certificate authority in > Israel Mossad is going to be a prime contender, if you suggest > alternative provider covered by so the Patriot Act I'm going to pull > your leg ruthlessly. Fair enough :] Funnily enough, I wasn't going to recommend any of them either. In fact, I don't have any solid recommendations for a CA, I don't trust any of them implicitly and the general track record for them recently hasn't been exactly stellar. SSL/TLS and certificate authorities are just broken at this point, I've stopped trying to keep count of the new/revoked CAs every update there are just too many of them. I don't have any alternatives to offer either, except self signing and that's not much use for non-personal stuff. > Besides unless you do some sort of pinning or stapling will folk even > notice who sold you out, or will it matter if it is the same provider > issuing a different certificate, or a different CA issuing a bogus > certificate (they don't have your private key). So you might as well go > with the cheapest competent provider. Yep, agreed. http://convergence.io/index.html might provide some succour, if we can get enough other sane people to use it. All this crap + XP EOL + Patch Tuesday all at once. What a day at the office. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq