[Cialug] TLS Cert validity?

Matthew Nuzum newz at bearfruit.org
Thu Feb 3 16:49:31 CST 2011


On Thu, Feb 3, 2011 at 1:21 PM, L. V. Lammert <lvl at omnitec.net> wrote:

> At 01:08 PM 2/3/2011, you wrote:
> >TLS does not care if the cert has expired.
>
> That would explain the situation, .. thanks!
>
> >There are a lot of cheap certificates available, but not all the
> >cheap ones are recognized by all browsers (ask me how I know).  Do
> >your homework if it is a public-facing cert.
>
> Having dealt with GeoTrust on a renewal last month (they don't
> provide the intermediate cert with a renewal!), .. have you ever
> tried Startcom? What do you consider the best cost/browser validation
> source?
>
>
I've use http://cert.startcom.org/ and it works fine for the purposes I've
tried it.

Remember that properly configured SSL serves two purposes:

 1. Provide an encrypted connection
 2. Verify the identity of who you are connecting to

Self signed SSL only does the first. If you get an e-mail from some company
that says it is paypal and you click the link (don't do that) how will you
know if it's really paypal? You check the name on the cert. If the cert is
trusted by your browser and it says that you're dealing with paypal then
you're on the right site.

In today's world of phishing and spoofing and bad stuff, trust is pretty
important. IMHO. I use commercial certs for things I care about.

As a side note, we discussed ssl performance on the list in Dec. 2048 bit
commercial certs can provide much better performance than other certs.

-- 
Matthew Nuzum
newz2000 on freenode, skype, linkedin, identi.ca and twitter

"An investment in knowledge pays the best interest." -Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20110203/3a58cb92/attachment.htm 


More information about the Cialug mailing list