Free SSL Certificates

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • It does matter, cause if you don't want browser security messages you have to add this CA to your trusted list. That means that you trust EVERY certificate they issue. I won't do that.
      Don't forget: CAs deal with trust.
      For me it would be more secure to use self-signed certificates.

      From this point of view, I also don't yet really understand let's encrypt.
      How is the authenticity prooved in this case?
    • Wosign is properly owned by the Chinese government, whicw gives them the possibility to decrypt all information encrypted with a wosign certificate. Because have easy access to your private key.

      A self signed certificate where you keep the private key secret is very hard to decrypt.
      ----------------------------------------------------------------------------------------------
      Software:
      Openmediavault 3.0.42 | omvextrasorg 3.3.16 | Nginx 1.10.1 | ownCloud (9.1)
      Multicraft 2.0 | Wordpress 4.6.1 | Couchdb 1.2.0 | Webmin 1.810

      Hardware:
      Chassis: Fractal Design Node 304
      Board: ASROCK Z87E-ITX
      CPU: Intel Core i5-4670T
      CPU Cooler Noctua NH-U12S
      System storage: 30GB - Kingston SMS200S3/30G
      Data storage: 3 x 4TB - WD Red WD40EFRX 4TB
      RAM: 16GB
      Ethernet Adapter TP-Link TG-3468 (PCIe)
    • You do realize that the Soviet Union doesn't exist anymore right...and that North Korea is fascist and not at all communist...and that the "Communism" of China is basically a farce...and...whatever that's not the point.

      The point is that your private SSL certificate is hugely important and needs to be kept safe, depending on who you want to theoretically be able to snoop on your data which really depends on whether or not they care. I'm pretty sure the Chinese don't care about you. If you happen to be a person of interest for a given government, I wouldn't trust anything they have access to, which very much includes US-based companies like Verisign.

      Also, "I'm not racist but" always leads to a bigoted statement and governments != their people.
    • ikogan wrote:

      Indeed, I don't know about Lets Encrypt, but I would rather add my own trusted CA than someone else's. I use the CA tools provided by pfsense.org/ on my router.


      Let's encrypt will be Cross Signed by IdenTrust, so all their free certificates will be "green" by all well known browser.

      Rocologo wrote:

      Wosign is properly owned by the Chinese government, whicw gives them the possibility to decrypt all information encrypted with a wosign certificate. Because have easy access to your private key.

      A self signed certificate where you keep the private key secret is very hard to decrypt.


      WoSign accepts certificate signing requests, so no private key involed. I tried it and it worked. For me it's a goog choice, because you can get certificates for dyndns hostnames (where you don't own the domain).
    • Rocologo wrote:

      Wosign is properly owned by the Chinese government, whicw gives them the possibility to decrypt all information encrypted with a wosign certificate. Because have easy access to your private key.

      A self signed certificate where you keep the private key secret is very hard to decrypt.


      The CA has no access to a private key. A CA only attempts to verify the owner of the URL, so they have nothing to do with the encryption provided by the server.

      A currently available option for free certs is StartSSL by StartCom. They provide free certs for a domain and one subdomain and are trusted by pretty much all modern browsers.

      I'm not clear on how it would be possible to include Let's Encrypt with OMV, or how many users of OMV would actually benefit from it, as it would only apply to a domain and one subdomain for that domain, so only servers hosting domains. Personally, I wouldn't include personal or private files on a web server.
      OMV 2.2.14 (Stone burner); Asus M3A78-EM; AMD Athlon 64 FX-62; 8 GB DDR2-800 ECC RAM; 32GB Kingspec KSD-PA25.6-032MS IDE SSD (OS); SanDisk Ultra II 480GB SDSSDHII480G SSD (primary storage); WD Blue 1TB WD10EZEX-00BN5A0 (backup storage).
    • Free SSL Certificates

      LooR wrote:

      @Enra @Rocologo @tinh_x7
      Wosign cert is allready auditet and shipped whit firefox.
      bugzilla.mozilla.org/show_bug.cgi?id=851435
      But the funny thing is, the Big China CA CNNIC is shipped whit every big Browser for years and they realy belong to the China Department of Information.
      freedom-to-tinker.com/blog/fel…whether-trust-chinese-ca/


      I didn't know that :) and this is perfect if you trust wosign.

      But my problem with wosign is that they have access to the private and are Chinese. I don't trust the Chinese government, but with a wosign certificate Im pretty sure that they listening to all encrypted trafik. Remember they have "The great firewall of china".
      ----------------------------------------------------------------------------------------------
      Software:
      Openmediavault 3.0.42 | omvextrasorg 3.3.16 | Nginx 1.10.1 | ownCloud (9.1)
      Multicraft 2.0 | Wordpress 4.6.1 | Couchdb 1.2.0 | Webmin 1.810

      Hardware:
      Chassis: Fractal Design Node 304
      Board: ASROCK Z87E-ITX
      CPU: Intel Core i5-4670T
      CPU Cooler Noctua NH-U12S
      System storage: 30GB - Kingston SMS200S3/30G
      Data storage: 3 x 4TB - WD Red WD40EFRX 4TB
      RAM: 16GB
      Ethernet Adapter TP-Link TG-3468 (PCIe)
    • Free SSL Certificates

      LooR wrote:

      @Enra @Rocologo @tinh_x7
      Wosign cert is allready auditet and shipped whit firefox.
      bugzilla.mozilla.org/show_bug.cgi?id=851435
      But the funny thing is, the Big China CA CNNIC is shipped whit every big Browser for years and they realy belong to the China Department of Information.
      freedom-to-tinker.com/blog/fel…whether-trust-chinese-ca/


      And if you read the article you will see that he mentioned exactly I'm afraid about:

      To see why this is worrisome, let’s suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC’s status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens’ “secure” web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site. The Chinese citizen would be fooled by the fake Gmail site (having no reason to suspect anything was wrong) and would happily enter his Gmail password into the impostor site, giving the Chinese government free run of the citizen’s email archive.
      ----------------------------------------------------------------------------------------------
      Software:
      Openmediavault 3.0.42 | omvextrasorg 3.3.16 | Nginx 1.10.1 | ownCloud (9.1)
      Multicraft 2.0 | Wordpress 4.6.1 | Couchdb 1.2.0 | Webmin 1.810

      Hardware:
      Chassis: Fractal Design Node 304
      Board: ASROCK Z87E-ITX
      CPU: Intel Core i5-4670T
      CPU Cooler Noctua NH-U12S
      System storage: 30GB - Kingston SMS200S3/30G
      Data storage: 3 x 4TB - WD Red WD40EFRX 4TB
      RAM: 16GB
      Ethernet Adapter TP-Link TG-3468 (PCIe)
    • ikogan wrote:

      That still means they're signing those certificates with their CA cert. If you add their CA cert to your browser, then anything else signed with that cert is immediately valid. If they re-issue a cert with your common name, it'll still come up as valid.


      Rocologo wrote:

      LooR wrote:

      @Enra @Rocologo @tinh_x7
      Wosign cert is allready auditet and shipped whit firefox.
      bugzilla.mozilla.org/show_bug.cgi?id=851435
      But the funny thing is, the Big China CA CNNIC is shipped whit every big Browser for years and they realy belong to the China Department of Information.
      freedom-to-tinker.com/blog/fel…whether-trust-chinese-ca/


      And if you read the article you will see that he mentioned exactly I'm afraid about:

      To see why this is worrisome, let’s suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC’s status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens’ “secure” web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site. The Chinese citizen would be fooled by the fake Gmail site (having no reason to suspect anything was wrong) and would happily enter his Gmail password into the impostor site, giving the Chinese government free run of the citizen’s email archive.


      That's a general problem of Chain of Trust infrastructure... WoSign could make a duplicate certificate of mine ( it wouldn't be the same, as they don't have my private key ) and it would be trusted by any browser. But for that you could use certificate pinning. Or CA pinning if trust your favourite CA . CA pinning simplifies Cert changes without wait time.