Update: A lot of people don’t like the idea of people issuing their own CA Certs… I saw some humour in a SSLFail CA cert that wasn’t shared. I also see no reason why SSL Certs should be as over priced as they are (that deserves it’s own blog post), so I won’t pay for one for a blog. So… Install the CA cert at your own risk.
So there have been some comments about SSLFail not having an SSL version. I’ve fixed this today and you can now access SSLFail via https://www.sslfail.com. The CA is SSLFail so by defaut you’ll get an error (in Firefox the message will read: ‘The certificate is not trusted because the issuer certificate is unknown.’ ). The SSLFail certificate is available for download, should you wish to install it.
Should anyone want a cert signed by SSLFail, I’m more than willing to do so… simply email — treguly (at) sslfail (dot) com.
February 26, 2009
Since this site is dedicated to the secure use of SSL, I think this approach is worth a bit of discussion. First off, I don’t see any reason for this site to need SSL. Not having SSL does not equal a problem. The need for SSL depends on whether the guarantees SSL provides are necessary – guarantees of integrity, confidentiality, reply prevention and end-point authentication. Since this site is intended for people to read provided information, I don’t personally see a reason for SSL.
Aside from that note, let’s look at the practice of providing a certificate for download. The link above allows a user to download the certificate to prevent the browser’s warning message of unknown issuer. Since the certificate is available of http, a MitM could just as easily switch the URL so it points to there cert which they’ve created for sslfail.com. So, providing a cert for download over http provides zero security.
Now, to restate my original point. I bring this up only since this site is intended to discuss security of SSL and certificates. I really don’t see any reason to use SSL for SSLfail.com.
-Michael