## A New Solution, To Independent Web-masters Wanting SSL Certificates

One of the subjects which I have written about, was that it was difficult for small-time Web-masters to obtain SSL certificates, responsible for giving httpS:// URLs, and for allowing secure connections to the server. And this seemed to be true entirely for reasons of profit, ironically even though the Internet today is focused strongly on wanting to provide security and privacy, via httpS:// specifically.

In my own, past efforts to obtain such a certificate, which is based on Public Key Cryptography, I turned to the Certificate Authority named ‘‘. But one drawback in using their free services, is the fact that their acceptance is not bundled with most browsers, and the official reason for that is, apparent audit failures in the past.

This meant that whatever httpS:// URLs I did have, would only display error messages in the browsers of other people, unless steps were taken to install their manually. And this can wreck the entire purpose of having a Web-site.

Well there is a new game in town, which I have started to subscribe to, named ““. The premise of this provider is, that they can carry out all the authentication steps via automated robots and clients, yet satisfy all the requirements – and Oh Yes, They Are Free.

Since I have started using , you may notice that all the URLs which I had offered as http:// in the past, now also have an httpS:// version. You can try to access the following link via SSL below:

Mini-Showcase

I must warn you though, that if instead, you would like to open this blog using SSL, you will get an icon warning you that certain objects in this part of my site are non-secure. This message appears because I have many URLs, including images, embedded into my blog as the older http:// variety, and know of no fast way to convert all of those into httpS:// URLs. Hence, by its nature my blog will continue to display this mixed content, partially SSL and partially not, and for that reason I see no benefit to you, of accessing it via SSL.

Also please note that at the time I am writing this, there is no site. This may change in the future, but for now remains absent.

In This Preceding Posting, I wrote about a bizarre error, according to which the domain name did not resolve properly to my real IP address. As far as I can tell by now, this error was of limited scope. But even as such, it seems like such an unlikely error, that I feel I may be missing some obscure explanation of what happened. However, to the suggestion that the whole resolution of what the command


host dirkmittler.homeip.net



produced, was merely a trick which my sleep-deprived mind was playing on me, does not wash, and the reason is the fact that this error actually prevented the authentication bots associated with from authenticating my site, simply because the server of this root CA, acting as a client, was unable to connect to my server, under the IP-address which was given.

Yet, I do wonder whether somehow, having installed the authentication robots / clients on my machine, might have made this error local, entirely to my machine, temporary as the error was…

And so the question can crop up, as to what, exactly, the purpose of is supposed to be for my server. And the answer is, that I wanted from the beginning to be able to embed my Mini-Showcase into my Facebook Page, which I and most other people access via httpS://, and into which I can therefore only embed that refer to httpS:// URLs of my own. And, which average Facebook members are supposed to be configured, to open easily.

## CACert has tightened its access rules.

One fact which I have sometimes blogged about, is that I am a member at CACert.org. This is a certificate authority which has been surrounded by some controversy. Its use is for members to be able to secure their servers, by obtaining an SSL certificate, i.e. obtaining an httpS:// URL, without having to pay money to do so.

What happens in the industry, is that each httpS:// URL is secured via encryption – in such a way that only the server and browser can decrypt the data – but that every Public Key used, needs to be signed by a Certificate Authority using their Private Key. There exist Certificate Authorities who charge big money for this service, to Web-masters. CACert offers this for free.

But for a variety of reasons I won’t go into here, CACert is already not included in most Web browser root certificates. In order for any signing chain to be possible, eventually the ‘top’ of the signing chain needs to be a root certificate, which is already ‘known to’ and ‘bundled with’ the browser, and which the browser automatically trusts.

A decision which a user can make however, is to add root certificates to the browser manually, and to tell the browser to trust those, at his own risk – OF perhaps having data tapped in to, which he is exchanging with the server he wants this secure connection to.

Long story short, in order for anybody to open the CACert Web page itself, which is the link I included above, the user now needs to have not only the CACert root certificate installed, but additionally needs to have their Class 3 certificate installed. Because I only had their root CA installed on some of my browsers, I recently failed to open the link, to their actual site, and spent some time troubleshooting what was causing this. They have tightened the security, with which their own site can even be accessed, always to revert back to the httpS:// version of the URL, prior to which we need to have these two certificates installed, for their page to open.

As it happens, in order for my own httpS:// URLs to open, I only need to have their root CA installed, but I cannot access their site, unless I have both CAs installed. This might sound as though convenient, but in fact is not so.

If I wanted to invite other people to access my httpS:// URLs, I would also need to invite them, to install the root CA from CACert. But in practice, the only way I can do this ethically, is to direct them to the CACert site, as above. I would never try to redistribute their root CA, myself.

And their site will not open on your browser anymore, unless you have done the research, and installed both these CAs yourself.

So this mechanism is now limited, to giving me private access, to certain parts of my own site.

But I am relieved, that CACert has not itself been hacked – so far. It was a bit hard for me to determine what the difficulty was, but it did not turn out to be any sort of hacking, of CACert.org .

Dirk

(Edit : ) What I can do in a case like this, is to suggest some http:// URL to you, such as

http://www.cacert.org/certs/root.crt

And I could tell you, to use that URL to provide access – to my site and not to CACert. But, you would have no way to trust this URL, coming from me. Doing so would be just as non-secure for you, as it would be, if I simply transferred the cert to you directly. What I can do, is suggest a WiKi page to you, which belongs to CACert.org, like so:

http://wiki.cacert.org/FAQ/BrowserClients