[Ach] StartSSL for Business Sysadmins

Axel Hübl axel.huebl at web.de
Sun Jan 12 14:55:12 CET 2014

Hash: SHA512

Just a side note on StartSSL fur business sysadmins:

>>>> On 11.01.2014, at 21:36, Rainer Hoerbe <rainer at hoerbe.at>
>>>> wrote:
>>>> ... The question is why to pay for a certificate of low
>>>> value, when you can get the same product  elsewhere for free,
>>>> e.g. Startssl. ...

StartSSL is only free for *private*/personal certificates:

> This electronic mail message was created by StartCom's
> Administration Personnel:
> Thank you for requesting a digital certificate with us. However
> Class 1 certificates are not meant to be used for commercial 
> activities or financial transactions according to our policy. For
> this purpose please consider upgrading to Class 2 or higher 
> verification level. Please see https://www.startssl.com/?app=32
> about how to enroll. Thank you for your understanding.

So if you intend to secure your online shops, your company servers or
similar, you have to go for a Class 2 Cert which means you have to
prove/pay the identity check *once a year* for $59.90:

With that you can get unlimited Class 2 Certs again during that period.
If I am not totally mistaken, their Class 2 Certs are also valid for 2
or 3 years (instead of 1 year for their free class 1 certs).


P.S.: please use mail subjects ;)
On 12.01.2014 14:12, Ahmad Bilal wrote:
> Yes, there should a be a tutorial about start working with SSL,
> something very very easy to understand. It could be a guideline
> type of thing about what to expect. And should assume, that the
> very basic words related to certificates are jargon to the intended
> reader.
> - Basic explanation of what a certificate does - Some alternatives,
> pro/cons of certificates - A few established providers, who are
> industry reviewed. -A general process of what is the minimum things
> that should happen (should be based upon experience with the
> established players) etc. A general flowchart (graph)
> The point is, most SysAdmin, don't know which point exactly they
> are missing in this vast field, there is trust at stake, security
> of more than a handful users is at stake, so a SysAdmin should be
> spoon-fed everything all over again. I know that sounds a bit
> excessive, but my main point is that there is a lot of noise,
> around this topic, that is the main bottleneck for many like me.
> On 12 January 2014 17:48, Andreas Mirbach <a.mirbach at me.com>
> wrote:
>> Ok, i see startssl is a little difficult. But we can't provide a
>> how to for that, i think. Because every ca has a slightly
>> different process and every ca already provides a how to optain a
>> certificat in there faqs. If your still in trouble i can help you
>> to understand the startssl process.
>> @all ahmad pionted out that some ssl starters don't realy know
>> how to retrieve a ssl certificate. I can remember my first try on
>> that. So maybe a section that describs the general process of
>> generating a certificat and signing it by a ca would be very
>> helpfull. What do you say?
>> Regards Andreas Mirbach
>> Sent from my iPad
>> On 12.01.2014, at 06:56, Ahmad Bilal <ahmadbilal200854 at gmail.com>
>> wrote:
>> Also, I tried StartSSL at first, but got lost somewhere, and gave
>> up in between. So yes, people like me want to improve, just need
>> the light! :)
>> On 12 January 2014 11:25, Ahmad Bilal
>> <ahmadbilal200854 at gmail.com> wrote:
>>> thanks Rainer and Andreas. Yes, I was aware that its not that
>>> safe to trust Godaddy, but to put it honestly, Learning about
>>> SSL/TLS/etc is like starting all over again, after barely
>>> learning programming. There is not many guides out there easily
>>> searchable. It was just coincidence that I find out about
>>> BetterCrypto.
>>> I have read the draft, it has been very helpful.. but my
>>> opinion is, if the explanations are a bit more simple, than
>>> people will benefit even more from it. As I said above, and its
>>> also written in the draft, that weak code written by
>>> programmers is a big concern. It should not be assumed, that a 
>>> programmer would learn coding, and then start to learn about
>>> cryptography. Instead ideally, one should learn cryptography
>>> and programming together, so that means, that midway, where a
>>> person has only grasped intermediate concepts in programming,
>>> he should be introduced to cryptography.
>>> That means, in short, that it should be assumed that the
>>> SysAdmin (at which this initiative is aimed at) can be average
>>> SysAdmin, as well as a well established SysAdmin.
>>> I might be saying what has been already said, many times.. and
>>> I mean no offense to anyone. I'm just resonating, what are my
>>> honest feelings about this.
>>> Thanks a lot, I hope to learn a lot around here.
>>> On 12 January 2014 03:16, Andreas Mirbach <a.mirbach at me.com>
>>> wrote:
>>>> Even if those certificate authorities have not been hacked,
>>>> you have to ask yourself "do you thrust these thirth party in
>>>> your chain". For websites that need to be reached over the
>>>> internet by unknown clients, you need them. But if you know
>>>> your clients e.g. your companys computer you can/should use
>>>> your own CAs. In my opinion there should be a more detailed 
>>>> section about certificate authorities.
>>>> Andreas Mirbach
>>>> Sent from my iPad
>>>> On 11.01.2014, at 21:36, Rainer Hoerbe <rainer at hoerbe.at>
>>>> wrote:
>>>> Finden SHA1-collisions requires 2**63 tries (may be a bit
>>>> less). Faking a certificate this way is quite expensive,
>>>> there are cheaper ways.
>>>> No you do not be worried, because the security value of those
>>>> commercial certificates ist near zero anyway. GoDaddy have
>>>> been insuniated that they have been hacked in the past. The
>>>> question is why to pay for a certificate of low value, when
>>>> you can get the same product  elsewhere for free, e.g. 
>>>> Startssl.
>>>> - Rainer
>>>> Am 11.01.2014 um 15:02 schrieb Ahmad Bilal
>>>> <ahmadbilal200854 at gmail.com>:
>>>> I have a question. I recently bought a certificate from
>>>> godaddy, and during the installation I chose SHA-2, but the
>>>> Certificate Signing Request in raw form has SHA-1 written on
>>>> it, and not SHA-2. Should I be worried?
>>>> -- *Ahmad Bilal*
>>>> _______________________________________________ Ach mailing
>>>> list Ach at lists.cert.at 
>>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>> _______________________________________________ Ach mailing
>>>> list Ach at lists.cert.at 
>>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>> -- *Ahmad Bilal*
>> -- *Ahmad Bilal*
> _______________________________________________ Ach mailing list 
> Ach at lists.cert.at 
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
Version: GnuPG v1.4.15 (GNU/Linux)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140112/b15e141a/attachment.bin>

More information about the Ach mailing list