Someone (I don't know whom) wasn't thrilled to have their Mailman password sent to our web site via non-SSL, hence non-encrypted connection. Which points to it being desirable to have an SSL cert. We could doubtless set up a self-signed cert; that's obviously not going to go through without "oh, that mightn't be totally legit" warnings. We'd not be overly keen on "spending all our substance" on SSL certs, not when the only use is to protect Mailman passwords. I hear Mozilla may be coming out with something later this year (something called "letsencrypt.org"); anyone have other bright ideas? -- When confronted by a difficult problem, solve it by reducing it to the question, "How would the Lone Ranger handle this?"
Yes, letsencrypt.org is an effort to make it possible for small folks like us to have ssl certs, adressing both cost and complexity. In the meantime, I've done self-signed ones, but installation is a pain... --dave On 03/23/2015 09:21 PM, Christopher Browne wrote:
Someone (I don't know whom) wasn't thrilled to have their Mailman password sent to our web site via non-SSL, hence non-encrypted connection. Which points to it being desirable to have an SSL cert.
We could doubtless set up a self-signed cert; that's obviously not going to go through without "oh, that mightn't be totally legit" warnings.
We'd not be overly keen on "spending all our substance" on SSL certs, not when the only use is to protect Mailman passwords. I hear Mozilla may be coming out with something later this year (something called "letsencrypt.org"); anyone have other bright ideas?
-- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
I don't think letsencrypt.org is ready for signing certs. You can get a free one for a year at https://www.startssl.com/ and you just have to remember to go and renew it each year. They are a CA that's already in most browsers. On Mon, Mar 23, 2015 at 10:22 PM, David Collier-Brown <davec-b@rogers.com> wrote:
Yes, letsencrypt.org is an effort to make it possible for small folks like us to have ssl certs, adressing both cost and complexity. In the meantime, I've done self-signed ones, but installation is a pain...
--dave
Sorry, that made it sound like it's only free for the first year... Their lowest level one is always free, but expires after a year. You can just renew each year with no issues. On Tue, Mar 24, 2015 at 10:28 AM, Tim Tisdall <tisdall@gmail.com> wrote:
I don't think letsencrypt.org is ready for signing certs. You can get a free one for a year at https://www.startssl.com/ and you just have to remember to go and renew it each year. They are a CA that's already in most browsers.
On Mon, Mar 23, 2015 at 10:22 PM, David Collier-Brown <davec-b@rogers.com> wrote:
Yes, letsencrypt.org is an effort to make it possible for small folks like us to have ssl certs, adressing both cost and complexity. In the meantime, I've done self-signed ones, but installation is a pain...
--dave
I had tried using www.startssl.com but found their interface and way of doing things awkward. And I think there are some limitations e.g. commercial use costs money I think. Now I typically buy rapidssl certificates from ssls.com for $9.95/year though they have Comodo for $8.95 and multi-year discounts. But looking forward to letsencrypt.org I am. Hope that helps - cheers! John On Tue, 2015/03/24 10:28:25AM -0400, Tim Tisdall <tisdall@gmail.com> wrote: | I don't think letsencrypt.org is ready for signing certs. You can get | a free one for a year at https://www.startssl.com/ and you just have | to remember to go and renew it each year. They are a CA that's | already in most browsers.
On Tue, Mar 24, 2015 at 12:05 PM, John Sellens <jsellens@syonex.com> wrote:
I had tried using www.startssl.com but found their interface and way of doing things awkward. And I think there are some limitations e.g. commercial use costs money I think.
Hmm.. I don't remember seeing a limitation about commercial use. Do you have a link to that? They do have some hoops you have to jump through to ensure you are who you say you are, but I didn't find it terribly hard.
On Tue, 2015/03/24 12:25:49PM -0400, Tim Tisdall <tisdall@gmail.com> wrote: | Hmm.. I don't remember seeing a limitation about commercial use. Do | you have a link to that? I may have been mis-remembering (or it might have changed) or perhaps I bumped up against http://www.startssl.com/?app=25#2 which (I think) says that you can't have an organization or company name in a free certificate. Actually, looking back in my mail archives, they declined to issue me a certificate for a web hosting server in January 2013, and I think the reason at that time was that it was business related. John
On Tue, Mar 24, 2015 at 1:51 PM, John Sellens <jsellens@syonex.com> wrote:
On Tue, 2015/03/24 12:25:49PM -0400, Tim Tisdall <tisdall@gmail.com> wrote: | Hmm.. I don't remember seeing a limitation about commercial use. Do | you have a link to that?
I may have been mis-remembering (or it might have changed) or perhaps I bumped up against
http://www.startssl.com/?app=25#2
which (I think) says that you can't have an organization or company name in a free certificate.
Actually, looking back in my mail archives, they declined to issue me a certificate for a web hosting server in January 2013, and I think the reason at that time was that it was business related.
I think that's referring to the fact that they can only authenticate individuals for the free one. So the free certificate is going to contain the person's name that they authenticated. When I used it, I don't remember trying to add a company name so you're probably right that they don't allow you to add one unless you go for the next level of cert (the one you buy). Any way, none of this precludes someone at GTALUG creating a certificate for the mailserver's domain name and securing the necessary pages. You just have to use their automated system to prove you are who you are and that you own (or have control over) the domain name in question. The benefit is that pretty much every browser already has startssl's CA included.
On 24/03/15 02:27 PM, Tim Tisdall wrote:
On Tue, Mar 24, 2015 at 1:51 PM, John Sellens <jsellens@syonex.com> wrote:
On Tue, 2015/03/24 12:25:49PM -0400, Tim Tisdall <tisdall@gmail.com> wrote: | Hmm.. I don't remember seeing a limitation about commercial use. Do | you have a link to that?
I may have been mis-remembering (or it might have changed) or perhaps I bumped up against
http://www.startssl.com/?app=25#2
which (I think) says that you can't have an organization or company name in a free certificate.
Actually, looking back in my mail archives, they declined to issue me a certificate for a web hosting server in January 2013, and I think the reason at that time was that it was business related.
I think that's referring to the fact that they can only authenticate individuals for the free one. So the free certificate is going to contain the person's name that they authenticated. When I used it, I don't remember trying to add a company name so you're probably right that they don't allow you to add one unless you go for the next level of cert (the one you buy).
Any way, none of this precludes someone at GTALUG creating a certificate for the mailserver's domain name and securing the necessary pages. You just have to use their automated system to prove you are who you are and that you own (or have control over) the domain name in question. The benefit is that pretty much every browser already has startssl's CA included.
Yeah, I'm pretty sure that just means organization validation is not available at the free tier. (I'm validated as an individual and an organization.) They're pretty strict about WHOIS information matching the validation when issuing certificates now, so they might have declined your certificate not because it was on the free tier but possibly if you're WHOIS information was for your business but the free certificate only gets linked to an individual.
On 23/03/15 09:21 PM, Christopher Browne wrote:
Someone (I don't know whom) wasn't thrilled to have their Mailman password sent to our web site via non-SSL, hence non-encrypted connection.
That... specifically is a bit of a silly concern. Standard GNU Mailman sign up instructions read: """ You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. **Do not use a valuable password** as it will occasionally be emailed back to you in cleartext. """ (I believe GNU Mailman also *stores* passwords in plain text.) There's no reasonable expectation of security with a GNU Mailman password to begin with.
Which points to it being desirable to have an SSL cert. [...]
Still, SSL seems like a good idea regardless, even if it wouldn't solve any issue with Mailman.
participants (5)
-
Blaise Alleyne -
Christopher Browne -
David Collier-Brown -
John Sellens -
Tim Tisdall