Previously I noticed that StartSSL is offering free SSL certificates, ie. proper certificates with a CA chain that is accepted by browsers. Now while setting up my own web-server I had the opportunity to try it out.
It seems to work well. The certificate seems to work, Firefox 3 does not spit out any errors or warnings as it is otherwise very keen to do on self-signed certificates. The certificate is obtained without too much hassle, and fairly quickly, surely much easier than any CA with paper trail requirements.
I did have an issue with the site requiring the browser to send Referer headers, which I have disabled. Using referer headers for functionality is usually a poor idea, requiring it goes against the HTTP spec, and there is no added security since it is trivial to forge it. Anyway, I switched to using the RefControl Firefox extension, which is much more flexible that what is built into
about:config. The Block (3rd party) option suits me well.
Other than that, it is just a matter of registering an account (with the usual email confirmation mail exchange). Then validate your domain, which is the site’s way of making it difficult for someone to make a certificate claiming ownership of a domain that belongs to another person. Basically you have to be able to read mail sent to some address associated with the DNS of the domain, like the one in the SOA record or
Now generate the openssl certificate signing request as described in the Apache/mod_ssl documentation, and upload it in the appropriate web form. In a matter of seconds the properly signed
server.crt is returned, and can be installed in Apache using the
SSLCertificateChainFile directives. Ah, and also remember to remove the passphrase on the server key, or the Apache startup will hang your boot process on the next reboot, waiting for someone to type the passphrase.
I still find it a hassle to have to go through this just to be able to encrypt web traffic, something that really should have been standard since long. The real problem is that the only available standard using
https:// URLs mixes two completely different issues: that of encrypting the data channel, and that of validating that the server is who the client think it is. Due to this mixup, implementations are left with the dilemma of either compromising the latter or making the former a hassle, and mainstream browsers generally choose the hassle option.
At least with StartSSL, encryption is possible both free of cost and (relatively) free of administrative hassle. But there is still a number of technical problems and hassle. Like the fact that it is not possible to run multiple domains on the same IP address without browsers spitting out warnings en masse. Well, at least my StartSSL certificate seems to work both for versions of the associated domain both with and without the