[OT] SSL Cert recommendation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[OT] SSL Cert recommendation

Arturo 'Buanzo' Busleiman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi group! Sorry for the OT. I'd like to implement SSL Certificates in my Postfix. Truth is there are
lots of certificates available to be bought. Expensive ones, cheap ones... there's also openca. Of
course, I don't want to use a self-signed one. Any recommendations? Again, sorry for the OT.

- --
Arturo "Buanzo" Busleiman
Reliable inter-continental Mail Relay Service - Ask me!
Independent Security Consultant - SANS - OISSG
http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIL1oiAlpOsGhXcE0RCmJEAJ0QPiFWiX7IbPAvtCzRqt1bx15tcACeOD6f
pFv+SdWSuCwmAsJ3zxu8IH4=
=FFfX
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Sahil Tandon
* Arturo 'Buanzo' Busleiman <[hidden email]> [05-17-2008]:
                 
> Hi group! Sorry for the OT. I'd like to implement SSL Certificates in my
> Postfix. Truth is there are
> lots of certificates available to be bought. Expensive ones, cheap ones...
> there's also openca. Of
> course, I don't want to use a self-signed one. Any recommendations? Again,
> sorry for the OT.
                                 
Many people I know use and recommend Thawte.  I have personally had no
experience with them.

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Jason Fesler
In reply to this post by Arturo 'Buanzo' Busleiman
> Hi group! Sorry for the OT. I'd like to implement SSL Certificates in my
> Postfix. Truth is there are
> lots of certificates available to be bought. Expensive ones, cheap ones...
> there's also openca. Of
> course, I don't want to use a self-signed one. Any recommendations? Again,
> sorry for the OT.

OpenSRS's reseller prices for a Geotrust QuickSSL cert is very reasonable -
about $70 if memory serves me.  However, it costs $100 to become an OpenSRS
reseller..  so it depends on how many you need (or if you want their other
services) whether it is worth it.  The mail clients I've tried all seem
happy with it, no SSL warnings.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Matthias Schmidt [c]
In reply to this post by Arturo 'Buanzo' Busleiman
Am/On Sat, 17 May 2008 19:20:18 -0300 schrieb/wrote Arturo 'Buanzo' Busleiman:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>Hi group! Sorry for the OT. I'd like to implement SSL Certificates in my
>Postfix. Truth is there are

we use GoDaddy.com and it works as advertised.

Thanks and all the best

Matthias

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Victor Duchovni
In reply to this post by Arturo 'Buanzo' Busleiman
On Sat, May 17, 2008 at 07:20:18PM -0300, Arturo 'Buanzo' Busleiman wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi group! Sorry for the OT. I'd like to implement SSL Certificates in my
> Postfix. Truth is there are
> lots of certificates available to be bought. Expensive ones, cheap ones...
> there's also openca. Of
> course, I don't want to use a self-signed one. Any recommendations? Again,
> sorry for the OT.

What's wrong with self-signed certificates? They work just fine for SMTP,
nobody checks SMTP certificate validity withour prior agreement with
specific sites. The vast majority of SMTP certs are self-signed.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Arturo 'Buanzo' Busleiman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Victor Duchovni wrote:
| What's wrong with self-signed certificates? They work just fine for SMTP,
| nobody checks SMTP certificate validity withour prior agreement with
| specific sites. The vast majority of SMTP certs are self-signed.

I have certain requirements.

- --
Arturo "Buanzo" Busleiman
Reliable inter-continental Mail Relay Service - Ask me!
Independent Security Consultant - SANS - OISSG
http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIL4KbAlpOsGhXcE0RCsLyAJ4m2JGSJHaUkyZK+vrVvx0qLitfdgCfddWv
JvEE+sG4DfVrV8zCbWr6YEw=
=bK0l
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Jason Fesler
In reply to this post by Victor Duchovni
> What's wrong with self-signed certificates? They work just fine for SMTP,
> nobody checks SMTP certificate validity withour prior agreement with
> specific sites. The vast majority of SMTP certs are self-signed.

Two of the mobile apps I've used do complain (treo's SnapperMail, and
iPhone's Mail.app).  For desktop, Apple's Mail.app does complain if the
keys are self signed (unless you take great efforts to muck with Apple's
certificate stuff).

Besides, you can use the same certificate on your web server.. :-)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Victor Duchovni
In reply to this post by Arturo 'Buanzo' Busleiman
On Sat, May 17, 2008 at 10:12:59PM -0300, Arturo 'Buanzo' Busleiman wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Victor Duchovni wrote:
> | What's wrong with self-signed certificates? They work just fine for SMTP,
> | nobody checks SMTP certificate validity withour prior agreement with
> | specific sites. The vast majority of SMTP certs are self-signed.
>
> I have certain requirements.

In that case, buy the cheapest certs the peers who will be verifying them
are willing to trust. At the end of the day a cert is just a binding of
a public key to a domain name, signed by a party the verifier trusts, the
rest is marketing.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Arturo 'Buanzo' Busleiman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Victor Duchovni wrote:
| the rest is marketing.

Tell me about it:

http://www.freesoftwaremagazine.com/columns/interview_with_arturo_busleiman


- --
Arturo "Buanzo" Busleiman
Reliable inter-continental Mail Relay Service - Ask me!
Independent Security Consultant - SANS - OISSG
http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIL5vmAlpOsGhXcE0RCtfSAJsHBUn2B7AX08x/X3a2tfd2/Q6faQCcDPyq
OEJ5RjGvBfRluCcalwrpgG0=
=WqJH
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Victor Duchovni
On Sun, May 18, 2008 at 12:00:54AM -0300, Arturo 'Buanzo' Busleiman wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Victor Duchovni wrote:
> | the rest is marketing.
>
> Tell me about it:
>
> http://www.freesoftwaremagazine.com/columns/interview_with_arturo_busleiman

Seems pretty naive to me (sorry about that). I think a much better bet
is TLS PSK and even this has to overcome tremendoes inertia and needs
well thought-out browser implementations (IMHO, don't prompt for the
pre-shared password, instead retrieve from a keystore unlocked when the
browser starts, Keychain on MacOS X).

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Mauro Sanna
In reply to this post by Victor Duchovni
> On Sat, May 17, 2008 at 07:20:18PM -0300, Arturo 'Buanzo' Busleiman wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Hi group! Sorry for the OT. I'd like to implement SSL Certificates in my
> > Postfix. Truth is there are
> > lots of certificates available to be bought. Expensive ones, cheap ones...
> > there's also openca. Of
> > course, I don't want to use a self-signed one. Any recommendations? Again,
> > sorry for the OT.
>
> What's wrong with self-signed certificates? They work just fine for SMTP,
> nobody checks SMTP certificate validity withour prior agreement with
> specific sites. The vast majority of SMTP certs are self-signed.
>

Use CAcert.org it's free.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Bill Cole-3
At 10:05 AM +0200 5/19/08, Mauro Sanna wrote:

>>  On Sat, May 17, 2008 at 07:20:18PM -0300, Arturo 'Buanzo' Busleiman wrote:
>>
>>  > -----BEGIN PGP SIGNED MESSAGE-----
>>  > Hash: SHA512
>>  >
>>  > Hi group! Sorry for the OT. I'd like to implement SSL Certificates in my
>>  > Postfix. Truth is there are
>>  > lots of certificates available to be bought. Expensive ones, cheap ones...
>>  > there's also openca. Of
>>  > course, I don't want to use a self-signed one. Any recommendations? Again,
>>  > sorry for the OT.
>>
>>  What's wrong with self-signed certificates? They work just fine for SMTP,
>>  nobody checks SMTP certificate validity withour prior agreement with
>>  specific sites. The vast majority of SMTP certs are self-signed.
>>
>
>Use CAcert.org it's free.

That is not so if your time has any value and you have a typical user
base. User support effort is the biggest reason not to use a
self-signed cert, and that is at least as significant with any
3rd-party CA that is not a part of most users' set of trusted CA's.
It is also somewhat harder to make the logical case that a user
should trust a CAcert.org certification of the identity of their mail
provider than that they should trust that provider's own assertion.


--
Bill Cole
[hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Vick Khera
In reply to this post by Jason Fesler

On May 17, 2008, at 9:42 PM, Jason Fesler wrote:

> Apple's Mail.app does complain if the keys are self signed (unless  
> you take great efforts to muck with Apple's certificate stuff).

At least for the SSL cert used in IMAP, Apple's "great efforts to muck  
with" involve clicking the "view certificate" button, then checking  
the "trust this certificate" checkbox, clicking "save".

I can't imagine it being more complicated for SMTP TLS certificates.

For a certificate vendor recommendation, you can buy RapidSSL  
certificates from geotrust (you have to go to rapidssl.com though)  
either directly, by signing up as a reseller, or use a high-volume low-
price reseller like http://www.rapidsslonline.com/ which sells them  
for insanely cheap (cheaper then you'll ever get as a direct reseller  
unless you do huge volumes).

I find the rapidssl certificates sufficient for web servers; I've  
never set up email TLS/SSL.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Jorey Bump
In reply to this post by Bill Cole-3
Bill Cole wrote, at 05/19/2008 11:50 AM:

> At 10:05 AM +0200 5/19/08, Mauro Sanna wrote:
>>
>> Use CAcert.org it's free.
>
> That is not so if your time has any value and you have a typical user
> base. User support effort is the biggest reason not to use a self-signed
> cert, and that is at least as significant with any 3rd-party CA that is
> not a part of most users' set of trusted CA's. It is also somewhat
> harder to make the logical case that a user should trust a CAcert.org
> certification of the identity of their mail provider than that they
> should trust that provider's own assertion.

I agree, but perhaps our underlying reason is flawed. It's interesting
that the Debian/OpenSSL fiasco was caused simply because a maintainer
wanted to silence some valgrind reporting. Aren't we guilty of the same
thing if all we want is to stop client software from complaining to our
users, who then will turn around and complain to us?

I set up a CA with the full intention of installing the root certificate
in our clients, until I realized that it would be trivial for certain
types of support staff to create a man-in-the-middle attack. It seems to
me that blindly trusting a root CA has its share of risks, as well.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Victor Duchovni
In reply to this post by Vick Khera
On Mon, May 19, 2008 at 12:37:20PM -0400, Vivek Khera wrote:

>
> I find the rapidssl certificates sufficient for web servers; I've  
> never set up email TLS/SSL.

Server certificates for Email TLS servers and HTTP TLS servers are
indistinguishable.

My suggestion to go self-signed applies to MX hosts, for hosts that
are also MSAs, the usability issues mentioned by others do in fact
generally make certs issued by public CAs more attractive.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Victor Duchovni
In reply to this post by Jorey Bump
On Mon, May 19, 2008 at 12:38:58PM -0400, Jorey Bump wrote:

> I set up a CA with the full intention of installing the root certificate
> in our clients, until I realized that it would be trivial for certain
> types of support staff to create a man-in-the-middle attack. It seems to
> me that blindly trusting a root CA has its share of risks, as well.

You have to trust something. Ideally, you trust only the things you must
trust, but that set is never empty.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Gaël Lams
In reply to this post by Arturo 'Buanzo' Busleiman
Hi,

> Hi group! Sorry for the OT. I'd like to implement SSL Certificates in my
> Postfix. Truth is there are
> lots of certificates available to be bought. Expensive ones, cheap ones...
> there's also openca. Of
> course, I don't want to use a self-signed one. Any recommendations? Again,
> sorry for the OT.

We decided to go with DigiCert because they have this "star"
certificate which can be used on how many servers you want. I had to
contact them only once and support's anwer was timely and "good".

Regards,

Gaël
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OT] SSL Cert recommendation

Vick Khera

On May 21, 2008, at 8:24 AM, Gaël Lams wrote:

> We decided to go with DigiCert because they have this "star"
> certificate which can be used on how many servers you want. I had to
> contact them only once and support's anwer was timely and "good".

wow. i've never seen a vendor license a certificate for use on more  
than one machine without paying per machine -- even with a wildcard  
certificate they license and charge per machine. i guess that's what  
you pay the higher price for :-)


Loading...