[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites

Thomas Arendsen Hein thomas at intevation.de
Thu Oct 15 16:04:58 CEST 2015 

Hi!

There has been some discussion about SSL/TLS certificate that are
automatically accepted by usual web browsers on this list (and
elsewhere).

TL;DR: We want to switch to a commercial SSL certificate for
the gpg4win web and download services soon. Mailing list and forum
will not yet be changed.


= The current situation =

The current certificate is provided by our own CA, which is not
known by most browers unless the root certificate is imported from
https://ssl.intevation.de/

* Why don't we just buy a certificate?

  We currently have to do this, because the certificate includes
  over 40 SAN entries (including a wildcard entry) in a single
  certificate: wald.intevation.org, *.wald.intevation.org and many
  entries for the projects hosted on Wald.

  I'm not aware of any commercial CA that offers such certificates,
  I have only found CAs which offer 24 SAN entries, and then they
  don't allow wildcard entries.

* Why don't we simply use more IPs?

  IPv4 IPs are a scarce resource, we don't want to waste them. But
  we tried adding some extra IPs to our Wald server to have separate
  SSL certificates for the most important services:
  - *.wald.intevation.org and wald.intevation.org
  - the 4 gpg4win hostnames currently hosted on Wald (gpg4win.org,
    gpg4win.de and both prefixed with "www.")
  - everything else (using a certificate signed by our own CA, like
    the current one)

  The main problem here was the templating mechanism of FusionForge
  for the web server configuration files for Wald. Some early
  attempts to adjust this failed, and because or admin capacities
  were needed in other projects, we did not continue with this
  approach. It certainly is possible, but might be too
  time-consuming. If adjusting Wald fails, we could use a
  workaround: A simple proxy or TCP forwarder in front of Wald, but
  at that time, Wald was under heavy load and we did not want to add
  extra overhead for a workaround. Since then we upgraded to more
  powerful hardware, so this might be possibility for the future.

* Why don't we simply use SNI to present different certificates?

  1. Same reasons as above: We need to adjust the FusionForge
     templating or add a proxy/forwarder as a workaround.
  2. SNI has only very recently become supported by most browsers
     and there is still some software that does not support SNI:
     - Internet Explorer on Windows XP (should not be relevant
       anymore, but unfortunately it is)
     - older wget (as included in the still supported Debian wheezy)
     - Python before 2.7.9 (again Debian wheezy)
     - Mercurial before version 3.3 (Debian jessie has 3.1.2)
     - Java 6 (even at the current patch level)
     - Not sure if Android 2.x still counts, but I mention it for
       completeness

  I want to use SNI in the future, but I assume this still has to
  wait a bit for getting Windows XP with IE usage below 1% and
  maybe even Debian jessie becoming oldstable.


= The proposed next step for gpg4win =

My plan is to buy a certificate with the following SAN entries:

  www.gpg4win.org (main address)
  www.gpg4win.de
  gpg4win.org
  gpg4win.de
  files.gpg4win.org
  files.gpg4win.de

With a lifetime of three years, this will cost us 640€ for a
certificate from GeoTrust (see below for why we use GeoTrust).

The certificate will be installed on the server that currently hosts
files.gpg4win.org, so downloads from there will immediately become
trusted without importing Intevation's CA.

I will upgrade the server so it can offer TLS1.2, like Wald already
does.

As the content of www.gpg4win.org is generated into static files,
moving the gpg4win website to this server is easy. Updating the
website can be done by the same people who can publish new releases,
but others can be added if needed, too.

If there are no objections, I can start with this.


= Future steps =

The mailing lists are currently hosted on Wald. As most mails sent
to and received from the list are transferred via unprotected SMTP
connections, having SSL would be nice (especially for the Mailman
web interface), but is less important than website and downloads.

A possible solution could be to move the mailing lists to
lists.gnupg.org, which already provides a certificate signed by a CA
known to modern browsers.

But this would not solve secure access to the web forums on Wald and
most solutions for the forums would also provide a solution for the
mailing list.

I assume the most appropriate solution would be to buy a wildcard
certificate for Wald, which would cost 1380€ for three years for the
certificate and the additional required IPv4 IP, and solve or
work around the FusionForge templating mechanism.


= Comments on alternative CAs =

Yes, there are cheaper CAs than GeoTrust, but it has some benefits
that others can't offer us:

- It is a well-known CA that is accepted by all relevant browsers
  and other https clients.
- A German reseller that sends us a single invoice for all
  certificates we have bought, so our accounting does not run into
  issues or has to pay a separate invoice for each certificate.
  Despite having our own CA, we have bought many certificates for
  customers and some of our other servers.
- Because of this it can't happen that our credit card gets charged
  beyond the monthly limit and will leave our CEO stranded somewhere :)
- If things go wrong, we can call a real human!
- We can buy certificates for domains or subdomains, that we do not
  own. This applies to the gpg4win domains, too. GeoTrust will
  contact the owner and ask for permission.
- It is not Comodo, see e.g.
  https://en.wikipedia.org/wiki/Comodo_Group#Certificate_hacking
  so it is less likely that your sysadmin has marked it as
  untrusted.
- It is still cheaper than some other CAs which offer a similar
  level of quality.


Whew! That was long. Thanks for reading (or skimming). Feel free to
contact me via this list (I subscribed some weeks ago) if you have
questions or comments.

Regards,
Thomas Arendsen Hein

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151015/9c29dac2/attachment.sig>

More information about the Gpg4win-users-en mailing list