[ale] Oct News: StartCom, WoSign distrusted by Mozilla, Google, Apple

James Taylor James.Taylor at eastcobbgroup.com
Tue Mar 14 11:17:19 EDT 2017 

I've been using a rapidSSL cert from name.com.
Individual certs are about $9/year and a wildcard is about $110.
I use a wild card on my proxy to handle all of my outward facing
services.
-jt
 
 

James Taylor
678-697-9420
james.taylor at eastcobbgroup.com



>>> Scott Plante <splante at insightsys.com> 3/14/2017 10:53 AM >>> 
Apparently Chrome was just rejecting StartCOM / StartSSL certs issued
after Oct 2016, but starting with v57 just released, it's rejecting all
StartSSL certs except Alexa top 1M sites. I started getting complaints
this morning about our internal mail server. We've been using paid SSL
for customer stuff, but StartSSL for various domains used just by our
own people. 


I have paid for, and never minded the StartSSL revocation fee. My
understanding is that the resources needed to issue a cert are fairly
low, but the clients across the world constantly checking for
revocations takes a lot more, hence putting the fee there. 


I see LetsEncrypt / certbot being suggested for free certs now. Has
anyone tried them or have any thoughts? I suppose now I'm going to have
to make a move. InCommon isn't an option for us. 


https://letsencrypt.org/ 
https://certbot.eff.org/ 


Scott 



----- Original Message -----

From: "Jim Kinney" <jim.kinney at gmail.com> 
To: "Atlanta Linux Enthusiasts - Yes! We run Linux!" <ale at ale.org> 
Sent: Monday, January 30, 2017 5:05:46 PM 
Subject: Re: [ale] Oct News: StartCom, WoSign distrusted by Mozilla,
Google, Apple 


Yes. All the work stuff that public sees is InCommon. All the work
stuff for department only is self signed from our CA. 


For the stuff that really matters, it's self-signed, private CA and
client certs as well. 


On Jan 30, 2017 5:00 PM, "Lightner, Jeffrey" < JLightner at dsservices.com
> wrote: 





Self signed certificates may work for purely internal setups but for
web services presented to the outside world they seldom do. 

If I were to go to emory.edu and it asked me to accept a self signed
certificate rather than one from a well known CA I’d probably abandon
the connection on the theory it was a spoof. One doesn’t buy
certificates because of a desire to spend money – one buys
certificates so others can reasonably trust (based on the CA) the
certificate is valid. 

Even if I knew and trusted someone at Emory who could provide me with
the root certificate on the servers there I’d likely not bother to
import it just due to the annoyance factor. Having to install root
certificates for well known CAs is all well and good. Having to install
them for everyone that decides they want to self sign would be an
administrative nightmare. 

On checking just now it appears Emory uses a specific CA called
“InCommon” apparently built specifically for .edu sites. 



From: ale-bounces at ale.org [mailto: ale-bounces at ale.org ] On Behalf Of
Jim Kinney 
Sent: Monday, January 30, 2017 4:30 PM 
To: Atlanta Linux Enthusiasts - Yes! We run Linux! 
Subject: Re: [ale] Oct News: StartCom, WoSign distrusted by Mozilla,
Google, Apple 


All of my certs are self signed from my own CA. If you don't trust
them, you don't need to be there anyway.

More information about the Ale mailing list