Free SSL Certificates

  • If you a chinese dissident maybe you should use some other, if you enemy of the state like snowden a china ca will not help you much but its better then one from usa because a china company give a fuck about a security letter from there. But for nobodys like you and me i think its doesnt matter ;)

  • It does matter, cause if you don't want browser security messages you have to add this CA to your trusted list. That means that you trust EVERY certificate they issue. I won't do that.
    Don't forget: CAs deal with trust.
    For me it would be more secure to use self-signed certificates.


    From this point of view, I also don't yet really understand let's encrypt.
    How is the authenticity prooved in this case?

  • Wosign is properly owned by the Chinese government, whicw gives them the possibility to decrypt all information encrypted with a wosign certificate. Because have easy access to your private key.


    A self signed certificate where you keep the private key secret is very hard to decrypt.

    ----------------------------------------------------------------------------------------------
    Software:
    Openmediavault 4.1.x.x (Arrakis) | omvextrasorg 3.3.16 | Nginx 1.12.2 | Nextcloud 13.x


    Hardware:
    Chassis: Fractal Design Node 304
    Board: ASROCK Z87E-ITX
    CPU: Intel Core i5-4670T
    CPU Cooler Noctua NH-U12S
    System storage: 30GB - Kingston SMS200S3/30G
    Data storage: 4 x 4TB - WD Red WD40EFRX 4TB
    RAM: 16GB
    Ethernet Adapter TP-Link TG-3468 (PCIe)

  • I agree with Enra and Malefunk, I wouldn't trust the Chinese.
    They're evil geniuses.
    "m not racist, but based on the worldwide hacking news, and China/North Korea government threats, I don't trust communist or Soviet Union.

    OMV v5.0
    Asus Z97-A/3.1; i3-4370
    32GB RAM Corsair Vengeance Pro

  • You do realize that the Soviet Union doesn't exist anymore right...and that North Korea is fascist and not at all communist...and that the "Communism" of China is basically a farce...and...whatever that's not the point.


    The point is that your private SSL certificate is hugely important and needs to be kept safe, depending on who you want to theoretically be able to snoop on your data which really depends on whether or not they care. I'm pretty sure the Chinese don't care about you. If you happen to be a person of interest for a given government, I wouldn't trust anything they have access to, which very much includes US-based companies like Verisign.


    Also, "I'm not racist but" always leads to a bigoted statement and governments != their people.

  • Indeed, I don't know about Lets Encrypt, but I would rather add my own trusted CA than someone else's. I use the CA tools provided by https://www.pfsense.org/ on my router.


    Let's encrypt will be Cross Signed by IdenTrust, so all their free certificates will be "green" by all well known browser.


    Wosign is properly owned by the Chinese government, whicw gives them the possibility to decrypt all information encrypted with a wosign certificate. Because have easy access to your private key.


    A self signed certificate where you keep the private key secret is very hard to decrypt.


    WoSign accepts certificate signing requests, so no private key involed. I tried it and it worked. For me it's a goog choice, because you can get certificates for dyndns hostnames (where you don't own the domain).

  • That still means they're signing those certificates with their CA cert. If you add their CA cert to your browser, then anything else signed with that cert is immediately valid. If they re-issue a cert with your common name, it'll still come up as valid.

  • Wosign is properly owned by the Chinese government, whicw gives them the possibility to decrypt all information encrypted with a wosign certificate. Because have easy access to your private key.


    A self signed certificate where you keep the private key secret is very hard to decrypt.


    The CA has no access to a private key. A CA only attempts to verify the owner of the URL, so they have nothing to do with the encryption provided by the server.


    A currently available option for free certs is StartSSL by StartCom. They provide free certs for a domain and one subdomain and are trusted by pretty much all modern browsers.


    I'm not clear on how it would be possible to include Let's Encrypt with OMV, or how many users of OMV would actually benefit from it, as it would only apply to a domain and one subdomain for that domain, so only servers hosting domains. Personally, I wouldn't include personal or private files on a web server.

    OMV 5.6.26-1 (Usul); Shuttle XPC SH67H3; Intel Core i5-2390T; 8 GB DDR3-1333 RAM; 128GB SanDisk Z400s SSD (OS); Samsung 860 EVO 1TB (primary storage); WD Red 2TB (backup and archive storage).

  • @Enra @Rocologo @tinh_x7
    Wosign cert is allready auditet and shipped whit firefox.
    https://bugzilla.mozilla.org/show_bug.cgi?id=851435
    But the funny thing is, the Big China CA CNNIC is shipped whit every big Browser for years and they realy belong to the China Department of Information.
    https://freedom-to-tinker.com/…whether-trust-chinese-ca/


    I didn't know that :) and this is perfect if you trust wosign.


    But my problem with wosign is that they have access to the private and are Chinese. I don't trust the Chinese government, but with a wosign certificate Im pretty sure that they listening to all encrypted trafik. Remember they have "The great firewall of china".

    ----------------------------------------------------------------------------------------------
    Software:
    Openmediavault 4.1.x.x (Arrakis) | omvextrasorg 3.3.16 | Nginx 1.12.2 | Nextcloud 13.x


    Hardware:
    Chassis: Fractal Design Node 304
    Board: ASROCK Z87E-ITX
    CPU: Intel Core i5-4670T
    CPU Cooler Noctua NH-U12S
    System storage: 30GB - Kingston SMS200S3/30G
    Data storage: 4 x 4TB - WD Red WD40EFRX 4TB
    RAM: 16GB
    Ethernet Adapter TP-Link TG-3468 (PCIe)

  • @Enra @Rocologo @tinh_x7
    Wosign cert is allready auditet and shipped whit firefox.
    https://bugzilla.mozilla.org/show_bug.cgi?id=851435
    But the funny thing is, the Big China CA CNNIC is shipped whit every big Browser for years and they realy belong to the China Department of Information.
    https://freedom-to-tinker.com/…whether-trust-chinese-ca/


    And if you read the article you will see that he mentioned exactly I'm afraid about:


    To see why this is worrisome, let’s suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC’s status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens’ “secure” web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site. The Chinese citizen would be fooled by the fake Gmail site (having no reason to suspect anything was wrong) and would happily enter his Gmail password into the impostor site, giving the Chinese government free run of the citizen’s email archive.

    ----------------------------------------------------------------------------------------------
    Software:
    Openmediavault 4.1.x.x (Arrakis) | omvextrasorg 3.3.16 | Nginx 1.12.2 | Nextcloud 13.x


    Hardware:
    Chassis: Fractal Design Node 304
    Board: ASROCK Z87E-ITX
    CPU: Intel Core i5-4670T
    CPU Cooler Noctua NH-U12S
    System storage: 30GB - Kingston SMS200S3/30G
    Data storage: 4 x 4TB - WD Red WD40EFRX 4TB
    RAM: 16GB
    Ethernet Adapter TP-Link TG-3468 (PCIe)

  • That still means they're signing those certificates with their CA cert. If you add their CA cert to your browser, then anything else signed with that cert is immediately valid. If they re-issue a cert with your common name, it'll still come up as valid.


    And if you read the article you will see that he mentioned exactly I'm afraid about:


    To see why this is worrisome, let’s suppose, just for the sake of argument, that CNNIC were a puppet of the Chinese government. Then CNNIC’s status as a trusted CA would give it the technical power to let the Chinese government spy on its citizens’ “secure” web connections. If a Chinese citizen tried to make a secure connection to Gmail, their connection could be directed to an impostor Gmail site run by the Chinese government, and CNNIC could give the impostor a cert saying that the government impostor was the real Gmail site. The Chinese citizen would be fooled by the fake Gmail site (having no reason to suspect anything was wrong) and would happily enter his Gmail password into the impostor site, giving the Chinese government free run of the citizen’s email archive.


    That's a general problem of Chain of Trust infrastructure... WoSign could make a duplicate certificate of mine ( it wouldn't be the same, as they don't have my private key ) and it would be trusted by any browser. But for that you could use certificate pinning. Or CA pinning if trust your favourite CA . CA pinning simplifies Cert changes without wait time.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!