[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] "Confidant Mail"

Just for the story about startssl, unlike Confidant Mail which should use https, I think, despite of the fact that they don't trust it, like all of us, it's still better than nothing, I have explained several time here why we could not use https to retrieve the Peersm code.

There was an artifice where the js code was retrieved using https inside a http page with an additional key mechanism, which of course is of a little use but still better than nothing again.

Now when it came the time to renew this startssl certificate some months ago, unfortunately the Peersm site was tagged as infected by Google safebrowsing during some days, then startssl did not want to renew the certificate.

I contacted Google safebrowsing's team since it's impossible that the Peersm site got infected by anything else than the Peersm app code itself (or Google itself via yt) where I think I know why safebrowsing's AVs could have possibly detected wrongly a problem, so I asked them to rescan the site to identify the issue or to confirm to startssl that there were no problems.

It did not work up to now, then I gave up with the SSL certificate, it just failed because safebrowsing was wrong and because startssl's procedures are based on this, they told me that they were obliged to do so, but at the end that's another kind of censorship because a tool (safebrowsing) can be wrong, I hope letsencrypt will not reproduce this.

Le 04/02/2015 13:27, CJ a écrit :

On 04/02/15 13:19, Paul Syverson wrote:
On Wed, Feb 04, 2015 at 06:58:28AM +0100, CJ wrote:

On 02/04/2015 06:19 AM, Seth wrote:
On Tue, 03 Feb 2015 20:01:36 -0800, Andrew Roffey <andrew@roffey.org>
  - there is a cost of obtaining HTTPS signatures.
Not certain if the deal is still being offered, but for quite a while
you could get a free TLS/SSL certificate good for one year when
registering or transferring a domain to namecheap.com

Then if you needed to renew it, or just buy more, you could pick them up
for $2/yr just by purchasing another qualifying product, such a year of
whoisguard for $2.88.

Point being, the cost of certificates can be negligible if you know
where to look.

not to mention StartSSL and their free certificates… Well, ok, maybe not
the cleanest and trustworthy thing, but you can still provide the CSR,
meaning you own the key. And they support 4096b with sha2…

See also https://letsencrypt.org/
Let's Encrypt plans to offer free and automatic to set up certificates
from a recognized authority starting in mid-2015. (Not quite ready
yet.) It is backed by EFF, Mozilla, Akamai, Cisco, and Identrust.

right — can't wait for this one. In the meanwhile I stick with startssl…

Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to