[Ach] StartSSL for Business Sysadmins

Axel Hübl axel.huebl at web.de
Sun Jan 12 14:55:12 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Just a side note on StartSSL fur business sysadmins:

>>>> On 11.01.2014, at 21:36, Rainer Hoerbe <rainer at hoerbe.at>
>>>> wrote:
>>>> 
>>>> ... The question is why to pay for a certificate of low
>>>> value, when you can get the same product  elsewhere for free,
>>>> e.g. Startssl. ...

StartSSL is only free for *private*/personal certificates:

> This electronic mail message was created by StartCom's
> Administration Personnel:
> 
> Thank you for requesting a digital certificate with us. However
> Class 1 certificates are not meant to be used for commercial 
> activities or financial transactions according to our policy. For
> this purpose please consider upgrading to Class 2 or higher 
> verification level. Please see https://www.startssl.com/?app=32
> about how to enroll. Thank you for your understanding.

So if you intend to secure your online shops, your company servers or
similar, you have to go for a Class 2 Cert which means you have to
prove/pay the identity check *once a year* for $59.90:
  https://www.startssl.com/?app=2

With that you can get unlimited Class 2 Certs again during that period.
If I am not totally mistaken, their Class 2 Certs are also valid for 2
or 3 years (instead of 1 year for their free class 1 certs).


Best,
Axel

P.S.: please use mail subjects ;)
On 12.01.2014 14:12, Ahmad Bilal wrote:
> Yes, there should a be a tutorial about start working with SSL,
> something very very easy to understand. It could be a guideline
> type of thing about what to expect. And should assume, that the
> very basic words related to certificates are jargon to the intended
> reader.
> 
> - Basic explanation of what a certificate does - Some alternatives,
> pro/cons of certificates - A few established providers, who are
> industry reviewed. -A general process of what is the minimum things
> that should happen (should be based upon experience with the
> established players) etc. A general flowchart (graph)
> 
> 
> The point is, most SysAdmin, don't know which point exactly they
> are missing in this vast field, there is trust at stake, security
> of more than a handful users is at stake, so a SysAdmin should be
> spoon-fed everything all over again. I know that sounds a bit
> excessive, but my main point is that there is a lot of noise,
> around this topic, that is the main bottleneck for many like me.
> 
> On 12 January 2014 17:48, Andreas Mirbach <a.mirbach at me.com>
> wrote:
> 
>> Ok, i see startssl is a little difficult. But we can't provide a
>> how to for that, i think. Because every ca has a slightly
>> different process and every ca already provides a how to optain a
>> certificat in there faqs. If your still in trouble i can help you
>> to understand the startssl process.
>> 
>> @all ahmad pionted out that some ssl starters don't realy know
>> how to retrieve a ssl certificate. I can remember my first try on
>> that. So maybe a section that describs the general process of
>> generating a certificat and signing it by a ca would be very
>> helpfull. What do you say?
>> 
>> Regards Andreas Mirbach
>> 
>> Sent from my iPad
>> 
>> On 12.01.2014, at 06:56, Ahmad Bilal <ahmadbilal200854 at gmail.com>
>> wrote:
>> 
>> Also, I tried StartSSL at first, but got lost somewhere, and gave
>> up in between. So yes, people like me want to improve, just need
>> the light! :)
>> 
>> 
>> 
>> On 12 January 2014 11:25, Ahmad Bilal
>> <ahmadbilal200854 at gmail.com> wrote:
>> 
>>> thanks Rainer and Andreas. Yes, I was aware that its not that
>>> safe to trust Godaddy, but to put it honestly, Learning about
>>> SSL/TLS/etc is like starting all over again, after barely
>>> learning programming. There is not many guides out there easily
>>> searchable. It was just coincidence that I find out about
>>> BetterCrypto.
>>> 
>>> I have read the draft, it has been very helpful.. but my
>>> opinion is, if the explanations are a bit more simple, than
>>> people will benefit even more from it. As I said above, and its
>>> also written in the draft, that weak code written by
>>> programmers is a big concern. It should not be assumed, that a 
>>> programmer would learn coding, and then start to learn about
>>> cryptography. Instead ideally, one should learn cryptography
>>> and programming together, so that means, that midway, where a
>>> person has only grasped intermediate concepts in programming,
>>> he should be introduced to cryptography.
>>> 
>>> That means, in short, that it should be assumed that the
>>> SysAdmin (at which this initiative is aimed at) can be average
>>> SysAdmin, as well as a well established SysAdmin.
>>> 
>>> I might be saying what has been already said, many times.. and
>>> I mean no offense to anyone. I'm just resonating, what are my
>>> honest feelings about this.
>>> 
>>> Thanks a lot, I hope to learn a lot around here.
>>> 
>>> 
>>> On 12 January 2014 03:16, Andreas Mirbach <a.mirbach at me.com>
>>> wrote:
>>> 
>>>> Even if those certificate authorities have not been hacked,
>>>> you have to ask yourself "do you thrust these thirth party in
>>>> your chain". For websites that need to be reached over the
>>>> internet by unknown clients, you need them. But if you know
>>>> your clients e.g. your companys computer you can/should use
>>>> your own CAs. In my opinion there should be a more detailed 
>>>> section about certificate authorities.
>>>> 
>>>> Andreas Mirbach
>>>> 
>>>> Sent from my iPad
>>>> 
>>>> On 11.01.2014, at 21:36, Rainer Hoerbe <rainer at hoerbe.at>
>>>> wrote:
>>>> 
>>>> Finden SHA1-collisions requires 2**63 tries (may be a bit
>>>> less). Faking a certificate this way is quite expensive,
>>>> there are cheaper ways.
>>>> 
>>>> No you do not be worried, because the security value of those
>>>> commercial certificates ist near zero anyway. GoDaddy have
>>>> been insuniated that they have been hacked in the past. The
>>>> question is why to pay for a certificate of low value, when
>>>> you can get the same product  elsewhere for free, e.g. 
>>>> Startssl.
>>>> 
>>>> - Rainer
>>>> 
>>>> Am 11.01.2014 um 15:02 schrieb Ahmad Bilal
>>>> <ahmadbilal200854 at gmail.com>:
>>>> 
>>>> I have a question. I recently bought a certificate from
>>>> godaddy, and during the installation I chose SHA-2, but the
>>>> Certificate Signing Request in raw form has SHA-1 written on
>>>> it, and not SHA-2. Should I be worried?
>>>> 
>>>> 
>>>> 
>>>> -- *Ahmad Bilal*
>>>> 
>>>> _______________________________________________ Ach mailing
>>>> list Ach at lists.cert.at 
>>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>> 
>>>> 
>>>> _______________________________________________ Ach mailing
>>>> list Ach at lists.cert.at 
>>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>> 
>>>> 
>>> 
>>> 
>>> -- *Ahmad Bilal*
>>> 
>>> 
>> 
>> 
>> -- *Ahmad Bilal*
>> 
>> 
> 
> 
> 
> 
> _______________________________________________ Ach mailing list 
> Ach at lists.cert.at 
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQJ8BAEBCgBmBQJS0p7AXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDMjAzN0EzNzlGM0JGMzFGQ0VFOTJDNENE
RDNGNjFFNUYxMTMyRjY1AAoJEN0/YeXxEy9lv28P/2dTvuXeWrOpbtWG3Ivj+8Dy
3uqU6zc5MnJnrUKzSx7DVkJq03fqKgtMgD+l5qHmOgTPUA9yiXFdthwKijH6uZpt
cUYgVER937PlQzBcoNjRkyXUVySvilr1+OEGv5x+MwyY1ZWBS99XDzevUwIig1jO
9rwmLx62wAxamLv82n6kfqDtpCWHDUvsloUiDSxjncuAv8QXw2C7IEY/8eStyMq+
IqLiwvCFdFGZ8zBrgks+ng3fBCNwhkzQpl+eBLSsXqcmk84eyxkXjevKiGh7Sb+D
eulbz23eDMlVhiXWD6/6v93R/Oi58df3G4BzTkJzzWlB0yojsnQkxwaoYl6n87fI
O/ttwDB4TQyl5DNXgGQJnMKuC0pMdP4UGttSLNtQR2UhfeVbcHDcrazKblsMgbyO
ERSPsatXfUL5YQhGNq05X4OmBE/UcaWxTqDOn3RFPRWIeFGjJaN0KzrH43476liS
W94XMVXSjWamumdWcVTIazBqR4FRGNnrE25Ep+44Q+nLJrloAgbwU9+MeNkIM9Q+
IMU96zSTEEZ2Ip73Ig0l+8YS+cTBzfBysPadZfeyKW27yZVKDwxfonN+t/Xv7PIx
kCU7QK0NqPPJ2AXxAandPNzHlnkoO2qzi8yhXN/nkN3A9xnzjqgupqYmlJ7hViwy
HzJAm6gr4+C130OSTYba
=cdca
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140112/b15e141a/attachment.bin>

More information about the Ach mailing list