[Ach] (no subject)

Ahmad Bilal ahmadbilal200854 at gmail.com
Sun Jan 12 14:12:49 CET 2014 

Yes, there should a be a tutorial about start working with SSL, something
very very easy to understand. It could be a guideline type of thing about
what to expect. And should assume, that the very basic words related to
certificates are jargon to the intended reader.

- Basic explanation of what a certificate does
- Some alternatives, pro/cons of certificates
- A few established providers, who are industry reviewed.
-A general process of what is the minimum things that should happen (should
be based upon experience with the established players) etc. A general
flowchart (graph)


The point is, most SysAdmin, don't know which point exactly they are
missing in this vast field, there is trust at stake, security of more than
a handful users is at stake, so a SysAdmin should be spoon-fed everything
all over again. I know that sounds a bit excessive, but my main point is
that there is a lot of noise, around this topic, that is the main
bottleneck for many like me.

On 12 January 2014 17:48, Andreas Mirbach <a.mirbach at me.com> wrote:

> Ok, i see startssl is a little difficult. But we can't provide a how to
> for that, i think.
> Because every ca has a slightly different process and every ca already
> provides a how to optain a certificat in there faqs. If your still in
> trouble i can help you to understand the startssl process.
>
> @all ahmad pionted out that some ssl starters don't realy know how to
> retrieve a ssl certificate. I can remember my first try on that. So maybe a
> section that describs the general process of generating a certificat and
> signing it by a ca would be very helpfull. What do you say?
>
> Regards Andreas Mirbach
>
> Sent from my iPad
>
> On 12.01.2014, at 06:56, Ahmad Bilal <ahmadbilal200854 at gmail.com> wrote:
>
> Also, I tried StartSSL at first, but got lost somewhere, and gave up in
> between. So yes, people like me want to improve, just need the light! :)
>
>
>
> On 12 January 2014 11:25, Ahmad Bilal <ahmadbilal200854 at gmail.com> wrote:
>
>> thanks Rainer and Andreas. Yes, I was aware that its not that safe to
>> trust Godaddy, but to put it honestly, Learning about SSL/TLS/etc is like
>> starting all over again, after barely learning programming. There is not
>> many guides out there easily searchable. It was just coincidence that I
>> find out about BetterCrypto.
>>
>> I have read the draft, it has been very helpful.. but my opinion is, if
>> the explanations are a bit more simple, than people will benefit even more
>> from it. As I said above, and its also written in the draft, that weak code
>> written by programmers is a big concern. It should not be assumed, that a
>> programmer would learn coding, and then start to learn about cryptography.
>> Instead ideally, one should learn cryptography and programming together, so
>> that means, that midway, where a person has only grasped intermediate
>> concepts in programming, he should be introduced to cryptography.
>>
>> That means, in short, that it should be assumed that the SysAdmin (at
>> which this initiative is aimed at) can be average SysAdmin, as well as a
>> well established SysAdmin.
>>
>> I might be saying what has been already said, many times.. and I mean no
>> offense to anyone. I'm just resonating, what are my honest feelings about
>> this.
>>
>> Thanks a lot, I hope to learn a lot around here.
>>
>>
>> On 12 January 2014 03:16, Andreas Mirbach <a.mirbach at me.com> wrote:
>>
>>> Even if those certificate authorities have not been hacked, you have to
>>> ask yourself "do you thrust these thirth party in your chain". For websites
>>> that need to be reached over the internet by unknown clients, you need
>>> them. But if you know your clients e.g. your companys computer you
>>> can/should use your own CAs. In my opinion there should be a more detailed
>>> section about certificate authorities.
>>>
>>> Andreas Mirbach
>>>
>>> Sent from my iPad
>>>
>>> On 11.01.2014, at 21:36, Rainer Hoerbe <rainer at hoerbe.at> wrote:
>>>
>>> Finden SHA1-collisions requires 2**63 tries (may be a bit less). Faking
>>> a certificate this way is quite expensive, there are cheaper ways.
>>>
>>> No you do not be worried, because the security value of those commercial
>>> certificates ist near zero anyway. GoDaddy have been insuniated that they
>>> have been hacked in the past. The question is why to pay for a certificate
>>> of low value, when you can get the same product  elsewhere for free, e.g.
>>> Startssl.
>>>
>>> - Rainer
>>>
>>> Am 11.01.2014 um 15:02 schrieb Ahmad Bilal <ahmadbilal200854 at gmail.com>:
>>>
>>> I have a question. I recently bought a certificate from godaddy, and
>>> during the installation I chose SHA-2, but the Certificate Signing Request
>>> in raw form has SHA-1 written on it, and not SHA-2. Should I be worried?
>>>
>>>
>>>
>>> --
>>> *Ahmad Bilal*
>>>
>>>  _______________________________________________
>>> Ach mailing list
>>> Ach at lists.cert.at
>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>
>>>
>>> _______________________________________________
>>> Ach mailing list
>>> Ach at lists.cert.at
>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>
>>>
>>
>>
>> --
>> *Ahmad Bilal*
>>
>>
>
>
> --
> *Ahmad Bilal*
>
>


-- 
*Ahmad Bilal*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140112/e69a8a91/attachment.html>

More information about the Ach mailing list