That seems to be a fair tradeoff. If you want to have a cert from a U.S. company that knows who you are beyond a shadow of a doubt before issuing the cert, buy from Verisign, for somewhere around us$350 or so. If you want to buy from a South African company that does less in the way of due diligence and charges less, buy from Thawte for us$125. If you want to buy a GeoTrust cert from a company that verifies you can be reached at your domain and that you have the rights to the domain as enumerated in your registrar's whois database, buy from me for us$99 <smile>.
[ I thought Verisign owned Thawte - maybe I missed something way back ] He says that GeoTrust sells wildcard certs on a per-server basis, but hasn't given me a price on a cert good for 250 subdomains on one RaQ4; I bet it's going to be over $400 that you can get from GeoTrust. [ I called Geo Trust and the Wildcard is $500 not $400 and it is for unlimitted subdomains. Just wanted to pass that on] ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 21, 2002 2:22 PM Subject: cobalt-security digest, Vol 1 #680 - 4 msgs Send cobalt-security mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://list.cobalt.com/mailman/listinfo/cobalt-security or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of cobalt-security digest..." Today's Topics: 1. Re: self signed certificate warnings (Jeff Lasman) 2. Re: self signed certificate warnings (Jeff Lasman) 3. Re: Securing Admin Pages (Jeff Lasman) 4. Re: self signed certificate warnings (AYoung@Home) --__--__-- Message: 1 Date: Thu, 21 Feb 2002 10:27:24 -0800 From: Jeff Lasman <[EMAIL PROTECTED]> Organization: nobaloney.net To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] self signed certificate warnings Reply-To: [EMAIL PROTECTED] Eugene Crosser wrote: > Usually you do not need a wildcard certificate. This is not > advertized, but browsers (most of them?) do a "suffix match" > on the CNAME. That is, purchase a certificate for "xyz.com", > and use it on the servers abc.xyz.com, def.xyz.com, > ghi.xyz.com - browsers will think that the name matches OK. Eugene, Please let us know which browsers do this; it's not enough to know that "browsers" will break the rules when it comes to domain certification. In fact it's dangerous behavior; I'd not want to use a browser that did it. > But I was talking about a *different* thing: that you can > buy a certificate that entitles you as a ("local") CA, > so that you can issue site certificates yourself. That's a lot of money. The last time I looked it was over us$10,000. > I'd like to add that this whole CA business makes > me uneasy. Essentially, it is about making money out of > thin air (noticable income for a thing that requires near > zero work). As such, it inevitably attracts the lovers > of easy money rather than trustworthy businesses. Which > defeats the whole idea of a CA as a 100% trusted entity. When Verisign first went into the business they earned their money; they went through a lot of hoops to make sure the company was who it says it was. Now Thawte does less and charges less. GeoTrust does still less and charges still less. That seems to be a fair tradeoff. If you want to have a cert from a U.S. company that knows who you are beyond a shadow of a doubt before issuing the cert, buy from Verisign, for somewhere around us$350 or so. If you want to buy from a South African company that does less in the way of due diligence and charges less, buy from Thawte for us$125. If you want to buy a GeoTrust cert from a company that verifies you can be reached at your domain and that you have the rights to the domain as enumerated in your registrar's whois database, buy from me for us$99 <smile>. Jeff -- Jeff Lasman <[EMAIL PROTECTED]> Linux and Cobalt/Sun/RaQ Consulting nobaloney.net P. O. Box 52672, Riverside, CA 92517 voice: (909) 778-9980 * fax: (702) 548-9484 --__--__-- Message: 2 Date: Thu, 21 Feb 2002 10:30:07 -0800 From: Jeff Lasman <[EMAIL PROTECTED]> Organization: nobaloney.net To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] self signed certificate warnings Reply-To: [EMAIL PROTECTED] Matthew Nuzum wrote: > Thanks, these are some good points. > I am open to a wildcard cert for $400, and asked that if anyone had a > recommendation, to give it. Did you get the spam from the guy at Thawte who reads the list? I've written him back and asked him to prove his product is better. He says I can get Thawte certs for only a dollar more, but if I buy them for a dollar more I couldn't sell them for the same, now could I <smile>. He says that GeoTrust sells wildcard certs on a per-server basis, but hasn't given me a price on a cert good for 250 subdomains on one RaQ4; I bet it's going to be over $400 that you can get from GeoTrust. > As far as this "local" ca is concerned, I am creating a somewhat "low > end" solution here and simply want to avoid some of the error messages > people are getting. Exactly. I've never ran into a client that cares who the cert is issued by as long as it works. Jeff -- Jeff Lasman <[EMAIL PROTECTED]> Linux and Cobalt/Sun/RaQ Consulting nobaloney.net P. O. Box 52672, Riverside, CA 92517 voice: (909) 778-9980 * fax: (702) 548-9484 --__--__-- Message: 3 Date: Thu, 21 Feb 2002 10:47:35 -0800 From: Jeff Lasman <[EMAIL PROTECTED]> Organization: nobaloney.net To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] Securing Admin Pages Reply-To: [EMAIL PROTECTED] Declan Caulfield wrote: > However, this offers just a little more security, as if you sniff the admin > password and use it to log in to the admin pages via HTTP:81 a would be > hacker can change both the root and admin passwords using the Administrator > button. Why would you or anyone send your password in clear text when all you have to do is self-issue a cert to get 128-bit ssl protection? > Rule of thumb, change your admin password regularly. Rule of thumb, don't use http; use a secure cert (even a self-signed one) and https. Jeff -- Jeff Lasman <[EMAIL PROTECTED]> Linux and Cobalt/Sun/RaQ Consulting nobaloney.net P. O. Box 52672, Riverside, CA 92517 voice: (909) 778-9980 * fax: (702) 548-9484 --__--__-- Message: 4 Date: Thu, 21 Feb 2002 14:06:15 -0500 Subject: Re: [cobalt-security] self signed certificate warnings From: "AYoung@Home" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] on 2/21/02 1:27 PM, Jeff Lasman at [EMAIL PROTECTED] wrote: > When Verisign first went into the business they earned their money; they > went through a lot of hoops to make sure the company was who it says it > was. > > Now Thawte does less and charges less. GeoTrust does still less and > charges still less. > > That seems to be a fair tradeoff. If you want to have a cert from a > U.S. company that knows who you are beyond a shadow of a doubt before > issuing the cert, buy from Verisign, for somewhere around us$350 or so. > If you want to buy from a South African company that does less in the > way of due diligence and charges less, buy from Thawte for us$125. If > you want to buy a GeoTrust cert from a company that verifies you can be > reached at your domain and that you have the rights to the domain as > enumerated in your registrar's whois database, buy from me for us$99 > <smile>. > Actually Thawte was bought out by Verisign in either 1999 or 2000. You can read about the Thawte/Verisign merger. http://thawte.com/corporate/vsfaq.html Alisa --__--__-- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security End of cobalt-security Digest _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
