Speaking of SSL
This site can be accessed via a TLS/SSL connection, but the certificate is locally signed.
So what does this mean?
Well, as far as the security of the connection between your computer, gentle reader, and the server is concerned it means that it is just as secure as any connection using a 256-bit AES key. That’s very secure.
It also means that your browser will display a prominent warning that the site is not trusted. This can be a bit deceptive because when your browser says that it just means that my certificate is not signed by one of around a couple of hundred certificate authorities (the exact number varies between browsers).
So why not get a certificate authority to sign my certificate?
There are two main reasons for this: cost and a false sense of security.
The certificate authorities (CA) charge exorbitant sums for most of their certificates. My current key is valid for five years (beginning last September) and can be used by any subdomain on my domain. To get a key like that signed by any CA would cost hundreds of dollars or even thousands through some CAs. While there are free certificates available from some CAs, these are almost always the absolute bare bones; limited to a single hostname (I would have to choose between www.adversary.org or my server’s real hostname of seditious.adversary.org) and limited in the amount of time the certificate could be valid for. Most free certificates are only valid for one year or less.
The second reason is the false sense of security. Most people are satisfied by just seeing the little padlock icon appear in their browser, or a change in the address bar. Very few actually verify the details of a site’s certificate and the connection. Often they don’t even confirm that the certificate really is signed for the correct organisation. This can lead to very bad things.
Don’t believe me? Fine, start with this article from Wired in 2009. There are plenty of other articles on this issue, just do a little search on “ssl certificate exploit” to see them.
Now since this site isn’t hosting any kind of merchant site with a payment gateway, I have no business compliance requirements to submit to an external certificate “authority” for my domain. I would much rather people verify the SSL fingerprint themselves and add the exception. The current fingerprints (MD5 and SHA1) are available in the About section of this site.
Originally published at Organised Adversary. Please leave any comments there.