<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Free SSL certs is a great thing, and in that spirit I extend to you my half-hearted support for calling on [whoever] to issue free certificates.<div><br></div><div>My support is half-hearted, however, because money is not the only problem with X.509.</div><div><br></div><div>The main problem with X.509 is that it is insecure.</div><div><br></div><div>X.509 is fundamentally broken. It cannot be patched.</div><div><br></div><div>We need to replace X.509 with something that actually offers security and usability to users and sysadmins alike.</div><div><br></div><div>The blockchain is the best known solution as far as replacements for X.509 go.</div><div><br></div><div>See more info in this README:</div><div><br></div><div><a href="https://github.com/okTurtles/dnschain/blob/master/README.md">https://github.com/okTurtles/dnschain/blob/master/README.md</a></div><div><br></div><div>Kind regards,</div><div>Greg Slepak<br><div>
<br class="Apple-interchange-newline"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">--</span><br style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;">Please do not email me anything that you are not comfortable also sharing</span><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; display: inline !important; float: none;"> with the NSA.</span>
</div>
<br><div><div>On Aug 18, 2014, at 7:13 PM, Daniel Roesler <<a href="mailto:diafygi@gmail.com">diafygi@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Howdy all, I'm not sure if this is within the scope of this forum, so<br>please ignore it if it is.<br><br>A month ago, I proposed that Firefox should change its generic http<br>icon to be a broken lock[1]. This would offer a bit of negative<br>feedback for websites that do not use https and hopefully encourage<br>them switching to https. This was obviously a big ask, and it sparked<br>quite extensive discussions in both the Mozilla[2] and Chromium[3]<br>security mailing lists. Most people were sympathetic to the goal, but<br>the bug eventually got closed as Verified Wontfix.<br><br>Anyway, two of the recurring arguments against the proposal were:<br><br>1) SSL Certificates are expensive.<br>2) Certificate Authorities are a racket.<br><br>I don't necessarily see these as deal breakers to being more<br>aggressive with https adoption, but I can understand where these<br>arguments are coming from. StartCom offers a free certificate, but you<br>have to pay to have it revoked, and a lot people got burned on that<br>during Heartbleed (including me). I'm not aware of anyone else who<br>offers a free SSL Certificate, even with the revocation gotcha. So I<br>can see how the perception is that certs are a cost that isn't worth<br>it for your personal blog or random side project site. Also, I can<br>sympathize with the perception that CAs are racket because they all<br>come across as pretty scammy with their upsells and add-ons that don't<br>actually add much.<br><br>Unfortunately, it seems like any sort of PKI alternative is years if<br>not decades away, so I began brainstorming short-to-mid-term solutions<br>to this problem.<br><br>I started by looking at the default root certificate repositories that<br>the major browsers and operating systems use. They are mostly your<br>regular list of CAs and governments, but there's one name that popped<br>out as unique: AOL.<br><br>America Online has two legacy certificates[4] in the Microsoft[5],<br>Apple[6], NSS[7], and Android[8] default list of root CAs. I'm<br>assuming this is from back when AIM as all the rage, but remarkably<br>AOL has been keeping up the audits[9] for them. Does anyone have any<br>more info on the history of these certs?<br><br>I think might be a great opportunity to address the two problems<br>above. Could AOL start offering free SSL Certificates?<br><br>Pros:<br>1) Their root certificates are already in everyone's list (backwards<br>compatibility).<br>2) Their core business model is not issuing certificates (not seen as a racket).<br>3) They would get a huge press coverage for being a "savior of HTTPS"<br>or some such spin (positive spotlight for AOL).<br>4) There would now be competition in the free SSL cert market (maybe<br>other CAs would start offering free options, too).<br><br>Cons:<br>1) This would be a cost for AOL. Perhaps other tech companies could<br>partner with them to subsidize the cost of issuing the certificate?<br>Perhaps there could be kickstarter to pay for the costs? Perhaps AOL<br>could spin off a non-profit foundation or donate the certificates to<br>Mozilla?<br>2) Unforseen technical problems associated with starting to chain to a<br>certificate that hasn't been in active use for a long time. I have no<br>idea what these could be. Thoughts?<br>3) SSL certs would likely be issued with no warranty (since they are<br>free). Not a deal breaker in my opinion, because the scope for these<br>could be for non-commercial use.<br><br>Anyway, just tossing out this idea for feedback. There's no sense in<br>pursuing this further if there's technical reasons making this<br>impossible. Also, does anyone know anyone who works at AOL?<br><br>-Daniel<br><br>[1] - <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1041087">https://bugzilla.mozilla.org/show_bug.cgi?id=1041087</a><br>[2] - <a href="https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/iU86qMOwvWs">https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/iU86qMOwvWs</a><br>[3] - <a href="https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/rGM2oiKZqZU">https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/rGM2oiKZqZU</a><br>[4] - <a href="https://pki-info.aol.com/AOL/">https://pki-info.aol.com/AOL/</a><br>[5] - <a href="https://social.technet.microsoft.com/wiki/contents/articles/14216.windows-and-windows-phone-8-ssl-root-certificate-program-april-2012-a-d.aspx">https://social.technet.microsoft.com/wiki/contents/articles/14216.windows-and-windows-phone-8-ssl-root-certificate-program-april-2012-a-d.aspx</a><br>[6] - <a href="http://support.apple.com/kb/HT5012">http://support.apple.com/kb/HT5012</a><br>[7] - <a href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/">https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/</a><br>[8] - <a href="https://android.googlesource.com/platform/libcore/+/master/luni/src/main/files/cacerts/2fb1850a.0">https://android.googlesource.com/platform/libcore/+/master/luni/src/main/files/cacerts/2fb1850a.0</a><br>[9] - <a href="https://pki-info.aol.com/AOL/2013_AOLRoot_Audit_Attestation.pdf">https://pki-info.aol.com/AOL/2013_AOLRoot_Audit_Attestation.pdf</a><br>_______________________________________________<br>Messaging mailing list<br><a href="mailto:Messaging@moderncrypto.org">Messaging@moderncrypto.org</a><br>https://moderncrypto.org/mailman/listinfo/messaging<br></blockquote></div><br></div></body></html>