Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I have been looking into setting up SSL for my blog. There currently no free way to get SSL certificates. There are some free ones but they tend to come with strings and lure you into paid plans. I am not sure if this proposal is the best.


Today that's true, but hopefully this eff project will turn out next year: https://www.eff.org/deeplinks/2014/11/certificate-authority-...


StartSSL is free and simple to use unless they changed recently. The only downside is that certain UAs don't trust the StartSSL CA, notably Java.


The free version doesn't come with wild card. So if you run multiple stuff off your VPS you will have to upgrade. I currently use self-signed certificate for everything except when I serve content to public I switch to http.


You could use SNI and support the majority of clients.


SSL Certificates are free. It's the authority you pay for.

What needs to change, in addition to this, is the interstitial warning page for a self-signed certificate needs to go away.

Having a self-signed cert > http.


> Having a self-signed cert > http.

It really depends on what exactly you are talking about. For a Man-in-the-middle attack, your statement is false. For passive dragnet surveillance, your statement is true.

I think people underestimate MITM attacks...


Doesn't really matter, does it? Even if MITM attacks are 99% of all attacks that doesn't leave you any worse of with a self-signed certificate. Better yet you are able to use a root certificate only trusted by most, rather than all, browsers because you secure that much of your traffic (which could easily be the 80+% that runs a modern browser, just not the few virus infected XP machines) which would enable actual innovation among CAs.


> For a Man-in-the-middle attack, your statement is false.

Not with certificate pinning.


on a case by case basis: >=

overall assessment: >




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: