SSL certificate selection
16 views
Skip to first unread message
Jeremy Morse
Jul 8, 2014, 9:03:16 PM7/8/14
to srobo...@googlegroups.com
Hi,
I've glanced over a few SSL providers for the upcoming SSL certificate
purchase on the 1st of August [0]. The primary differences from last
time are a) The internet now believes godaddy are evil, and b) we should
probably buy a wildcard certificate, as it's immediately foreseeable
that we need more than one server doing more than one thing.
In theory we could buy several one-subdomain certificates for less than
a wildcard, however IMO it's worth hedging on a future where we meet the
cost tradeoff point (7 or 8 subdomains), for the flexibility and so that
we don't have to track the expiry dates of multiple certs.
~
I'm not an expert on the SSL certificate market (I've bought twice), so
corrections would be appreciated, but AFAIK there are a few factors to
consider when getting a certificate:
a) Browser acceptance
b) What technology the certificate allows us to use
c) Whether people will actually trust it
For a), we just need to limit ourselves to people who quote the '99.3%
browser compatibility' figure. This means people who're in all the
popular browsers [1].
For b), aside from wildcard/not-wildcard, the certificate controls
approximately nothing about what we can do with it. The only limitation
I've seen is the key-lengths allowed.
c) While I sneer whenever I see COMODO [2], the end user only cares
about whether their browser spat errors at them while accessing the
website. We're not looking for organizational verification.
~
With that in mind, the absolute cheapest wildcard certificate I can find
is [4]. For ~£200 that gets us five years. It's not clear what the exact
certificate chain will be, but it's signed by COMODO, who are big (and
cheap) and in all popular browsers. The downside is that the key-length
is limited to 2048 bits. This is lower than what we have right now, but
the same size as most root certificate's anyway.
I'd appreciate any opinions or suggestions that are out there.
[0] https://www.studentrobotics.org/trac/ticket/2290
[1] Apparently mobile browser support is less straight forwards, but I
don't think that's a game we want to play.
[2] I use certificatepatrol [4]
[3] https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/
[4] https://cheapsslsecurity.com/comodo/positivessl-wildcard.html
--
Thanks,
Jeremy
I've glanced over a few SSL providers for the upcoming SSL certificate
purchase on the 1st of August [0]. The primary differences from last
time are a) The internet now believes godaddy are evil, and b) we should
probably buy a wildcard certificate, as it's immediately foreseeable
that we need more than one server doing more than one thing.
In theory we could buy several one-subdomain certificates for less than
a wildcard, however IMO it's worth hedging on a future where we meet the
cost tradeoff point (7 or 8 subdomains), for the flexibility and so that
we don't have to track the expiry dates of multiple certs.
~
I'm not an expert on the SSL certificate market (I've bought twice), so
corrections would be appreciated, but AFAIK there are a few factors to
consider when getting a certificate:
a) Browser acceptance
b) What technology the certificate allows us to use
c) Whether people will actually trust it
For a), we just need to limit ourselves to people who quote the '99.3%
browser compatibility' figure. This means people who're in all the
popular browsers [1].
For b), aside from wildcard/not-wildcard, the certificate controls
approximately nothing about what we can do with it. The only limitation
I've seen is the key-lengths allowed.
c) While I sneer whenever I see COMODO [2], the end user only cares
about whether their browser spat errors at them while accessing the
website. We're not looking for organizational verification.
~
With that in mind, the absolute cheapest wildcard certificate I can find
is [4]. For ~£200 that gets us five years. It's not clear what the exact
certificate chain will be, but it's signed by COMODO, who are big (and
cheap) and in all popular browsers. The downside is that the key-length
is limited to 2048 bits. This is lower than what we have right now, but
the same size as most root certificate's anyway.
I'd appreciate any opinions or suggestions that are out there.
[0] https://www.studentrobotics.org/trac/ticket/2290
[1] Apparently mobile browser support is less straight forwards, but I
don't think that's a game we want to play.
[2] I use certificatepatrol [4]
[3] https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/
[4] https://cheapsslsecurity.com/comodo/positivessl-wildcard.html
--
Thanks,
Jeremy
Jeremy Morse
Jul 16, 2014, 11:56:32 AM7/16/14
to srobo...@googlegroups.com
Hi,
Without objection, I'll go about purchasing the ssl-cheap wildcard cert
on or around the 1st of August. My opinion is that the only real risk
with it is that the vendor is a crook, rather than any risk with the
actual certificate / chain itself.
--
Thanks,
Jeremy
Without objection, I'll go about purchasing the ssl-cheap wildcard cert
on or around the 1st of August. My opinion is that the only real risk
with it is that the vendor is a crook, rather than any risk with the
actual certificate / chain itself.
--
Thanks,
Jeremy
Jeremy Morse
Aug 1, 2014, 6:05:49 AM8/1/14
to srobo...@googlegroups.com
Hi,
New certificate installed. beedogs.studentrobotics.org is not yet
configured, sorry.
--
Thanks,
Jeremy
New certificate installed. beedogs.studentrobotics.org is not yet
configured, sorry.
--
Thanks,
Jeremy
Jeremy Morse
Aug 1, 2014, 1:49:12 PM8/1/14
to srobo...@googlegroups.com
Hi,
Peter reported that git now has trouble accessing the website after the
certificate change. On a hunch, I changed the order in which the
additional certificates (the intermediate, and the root) are served at
users, and now everything works fine.
It's unclear whether this is gnutls being rubbish (highly likely) or
whether it's just me configuring it wrong. I've never seen any
information on how to order certificates, anywhere, and serving multiple
certs must be a supported operation (some people have five in a chain).
Anyway; if you notice a change in behaviour in the website from 1830
when I made this change, that's why.
--
Thanks,
Jeremy
Peter reported that git now has trouble accessing the website after the
certificate change. On a hunch, I changed the order in which the
additional certificates (the intermediate, and the root) are served at
users, and now everything works fine.
It's unclear whether this is gnutls being rubbish (highly likely) or
whether it's just me configuring it wrong. I've never seen any
information on how to order certificates, anywhere, and serving multiple
certs must be a supported operation (some people have five in a chain).
Anyway; if you notice a change in behaviour in the website from 1830
when I made this change, that's why.
--
Thanks,
Jeremy
Jeremy Morse
Aug 1, 2014, 1:49:46 PM8/1/14
to srobo...@googlegroups.com
Hi,
On 01/08/14 18:49, Jeremy Morse wrote:
> Peter reported that git now has trouble accessing the website after the
> certificate change. On a hunch, I changed the order in which the
> additional certificates (the intermediate, and the root) are served at
> users, and now everything works fine.
Clarity: the intermediate is now served first.
--
Thanks,
Jeremy
On 01/08/14 18:49, Jeremy Morse wrote:
> Peter reported that git now has trouble accessing the website after the
> certificate change. On a hunch, I changed the order in which the
> additional certificates (the intermediate, and the root) are served at
> users, and now everything works fine.
--
Thanks,
Jeremy
Peter Law
Aug 9, 2014, 7:06:13 PM8/9/14
to Student Robotics
Is this suggesting that 'beedog' is the name for the next server?
Peter
Peter
Jeremy Morse
Sep 6, 2014, 6:31:49 AM9/6/14
to srobo...@googlegroups.com
Hi,
Google have just announced they're deprecating SHA-1 certificates in
chrome that are valid past 2016 [0], and reporting them as insecure,
starting at some point in 2015. This affects us, as Comodo signed our
certificate with SHA-1 (it seems).
This isn't a disaster; we're able to re-issue the certificate at any
point (I've just checked that this option is available), and I imagine
that in the next couple of months Comodo will start issuing SHA-2
certificates.
[0]
http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
--
Thanks,
Jeremy
Google have just announced they're deprecating SHA-1 certificates in
chrome that are valid past 2016 [0], and reporting them as insecure,
starting at some point in 2015. This affects us, as Comodo signed our
certificate with SHA-1 (it seems).
This isn't a disaster; we're able to re-issue the certificate at any
point (I've just checked that this option is available), and I imagine
that in the next couple of months Comodo will start issuing SHA-2
certificates.
[0]
http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
--
Thanks,
Jeremy
Jeremy Morse
Oct 29, 2014, 2:15:42 PM10/29/14
to srobo...@googlegroups.com
Hi,
On 06/09/14 11:31, Jeremy Morse wrote:
> Google have just announced they're deprecating SHA-1 certificates in
> chrome that are valid past 2016 [0], and reporting them as insecure,
> starting at some point in 2015. This affects us, as Comodo signed our
> certificate with SHA-1 (it seems).
>
> This isn't a disaster; we're able to re-issue the certificate at any
> point (I've just checked that this option is available), and I imagine
> that in the next couple of months Comodo will start issuing SHA-2
> certificates.
I'm currently in the process of re-issuing the certificate for
jmorse.net to be SHA2. The vendor now has a magical 'Signature
algorithm' dropdown menu on their CSR upload page, that allows one to
select SHA2.
If this is successful, in about a week I'll generate a new one for
*.studentrobotics.org.
--
Thanks,
Jeremy
On 06/09/14 11:31, Jeremy Morse wrote:
> Google have just announced they're deprecating SHA-1 certificates in
> chrome that are valid past 2016 [0], and reporting them as insecure,
> starting at some point in 2015. This affects us, as Comodo signed our
> certificate with SHA-1 (it seems).
>
> This isn't a disaster; we're able to re-issue the certificate at any
> point (I've just checked that this option is available), and I imagine
> that in the next couple of months Comodo will start issuing SHA-2
> certificates.
jmorse.net to be SHA2. The vendor now has a magical 'Signature
algorithm' dropdown menu on their CSR upload page, that allows one to
select SHA2.
If this is successful, in about a week I'll generate a new one for
*.studentrobotics.org.
--
Thanks,
Jeremy
Jeremy Morse
Nov 6, 2014, 5:45:30 PM11/6/14
to srobo...@googlegroups.com
Hi,
On 29/10/14 18:15, Jeremy Morse wrote:
> If this is successful, in about a week I'll generate a new one for
> *.studentrobotics.org.
Deployed -- certificate pinning and other plugins may now bitch at you.
--
Thanks,
Jeremy
On 29/10/14 18:15, Jeremy Morse wrote:
> If this is successful, in about a week I'll generate a new one for
> *.studentrobotics.org.
--
Thanks,
Jeremy
Reply all
Reply to author
Forward
0 new messages