[messaging] Proposal: AOL should start offering free SSL Certificates

Mon Aug 18 17:25:19 PDT 2014

Free SSL certs is a great thing, and in that spirit I extend to you my half-hearted support for calling on [whoever] to issue free certificates.

My support is half-hearted, however, because money is not the only problem with X.509.

The main problem with X.509 is that it is insecure.

X.509 is fundamentally broken. It cannot be patched.

We need to replace X.509 with something that actually offers security and usability to users and sysadmins alike.

The blockchain is the best known solution as far as replacements for X.509 go.

See more info in this README:

https://github.com/okTurtles/dnschain/blob/master/README.md

Kind regards,
Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

On Aug 18, 2014, at 7:13 PM, Daniel Roesler <diafygi at gmail.com> wrote:

> Howdy all, I'm not sure if this is within the scope of this forum, so
> please ignore it if it is.
> 
> A month ago, I proposed that Firefox should change its generic http
> icon to be a broken lock[1]. This would offer a bit of negative
> feedback for websites that do not use https and hopefully encourage
> them switching to https. This was obviously a big ask, and it sparked
> quite extensive discussions in both the Mozilla[2] and Chromium[3]
> security mailing lists. Most people were sympathetic to the goal, but
> the bug eventually got closed as Verified Wontfix.
> 
> Anyway, two of the recurring arguments against the proposal were:
> 
> 1) SSL Certificates are expensive.
> 2) Certificate Authorities are a racket.
> 
> I don't necessarily see these as deal breakers to being more
> aggressive with https adoption, but I can understand where these
> arguments are coming from. StartCom offers a free certificate, but you
> have to pay to have it revoked, and a lot people got burned on that
> during Heartbleed (including me). I'm not aware of anyone else who
> offers a free SSL Certificate, even with the revocation gotcha. So I
> can see how the perception is that certs are a cost that isn't worth
> it for your personal blog or random side project site. Also, I can
> sympathize with the perception that CAs are racket because they all
> come across as pretty scammy with their upsells and add-ons that don't
> actually add much.
> 
> Unfortunately, it seems like any sort of PKI alternative is years if
> not decades away, so I began brainstorming short-to-mid-term solutions
> to this problem.
> 
> I started by looking at the default root certificate repositories that
> the major browsers and operating systems use. They are mostly your
> regular list of CAs and governments, but there's one name that popped
> out as unique: AOL.
> 
> America Online has two legacy certificates[4] in the Microsoft[5],
> Apple[6], NSS[7], and Android[8] default list of root CAs. I'm
> assuming this is from back when AIM as all the rage, but remarkably
> AOL has been keeping up the audits[9] for them. Does anyone have any
> more info on the history of these certs?
> 
> I think might be a great opportunity to address the two problems
> above. Could AOL start offering free SSL Certificates?
> 
> Pros:
> 1) Their root certificates are already in everyone's list (backwards
> compatibility).
> 2) Their core business model is not issuing certificates (not seen as a racket).
> 3) They would get a huge press coverage for being a "savior of HTTPS"
> or some such spin (positive spotlight for AOL).
> 4) There would now be competition in the free SSL cert market (maybe
> other CAs would start offering free options, too).
> 
> Cons:
> 1) This would be a cost for AOL. Perhaps other tech companies could
> partner with them to subsidize the cost of issuing the certificate?
> Perhaps there could be kickstarter to pay for the costs? Perhaps AOL
> could spin off a non-profit foundation or donate the certificates to
> Mozilla?
> 2) Unforseen technical problems associated with starting to chain to a
> certificate that hasn't been in active use for a long time. I have no
> idea what these could be. Thoughts?
> 3) SSL certs would likely be issued with no warranty (since they are
> free). Not a deal breaker in my opinion, because the scope for these
> could be for non-commercial use.
> 
> Anyway, just tossing out this idea for feedback. There's no sense in
> pursuing this further if there's technical reasons making this
> impossible. Also, does anyone know anyone who works at AOL?
> 
> -Daniel
> 
> [1] - https://bugzilla.mozilla.org/show_bug.cgi?id=1041087
> [2] - https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/iU86qMOwvWs
> [3] - https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/rGM2oiKZqZU
> [4] - https://pki-info.aol.com/AOL/
> [5] - https://social.technet.microsoft.com/wiki/contents/articles/14216.windows-and-windows-phone-8-ssl-root-certificate-program-april-2012-a-d.aspx
> [6] - http://support.apple.com/kb/HT5012
> [7] - https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
> [8] - https://android.googlesource.com/platform/libcore/+/master/luni/src/main/files/cacerts/2fb1850a.0
> [9] - https://pki-info.aol.com/AOL/2013_AOLRoot_Audit_Attestation.pdf
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140818/5a23ff3f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140818/5a23ff3f/attachment.sig>