[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites

Michael Carbone michael at accessnow.org
Thu Oct 15 18:19:23 CEST 2015 

Thomas Arendsen Hein:
> Hi!
> 
> There has been some discussion about SSL/TLS certificate that are
> automatically accepted by usual web browsers on this list (and
> elsewhere).
> 
> TL;DR: We want to switch to a commercial SSL certificate for
> the gpg4win web and download services soon. Mailing list and forum
> will not yet be changed.
> 
> 
> = The current situation =
> 
> The current certificate is provided by our own CA, which is not
> known by most browers unless the root certificate is imported from
> https://ssl.intevation.de/
> 
> * Why don't we just buy a certificate?
> 
>   We currently have to do this, because the certificate includes
>   over 40 SAN entries (including a wildcard entry) in a single
>   certificate: wald.intevation.org, *.wald.intevation.org and many
>   entries for the projects hosted on Wald.
> 
>   I'm not aware of any commercial CA that offers such certificates,
>   I have only found CAs which offer 24 SAN entries, and then they
>   don't allow wildcard entries.
> 
> * Why don't we simply use more IPs?
> 
>   IPv4 IPs are a scarce resource, we don't want to waste them. But
>   we tried adding some extra IPs to our Wald server to have separate
>   SSL certificates for the most important services:
>   - *.wald.intevation.org and wald.intevation.org
>   - the 4 gpg4win hostnames currently hosted on Wald (gpg4win.org,
>     gpg4win.de and both prefixed with "www.")
>   - everything else (using a certificate signed by our own CA, like
>     the current one)
> 
>   The main problem here was the templating mechanism of FusionForge
>   for the web server configuration files for Wald. Some early
>   attempts to adjust this failed, and because or admin capacities
>   were needed in other projects, we did not continue with this
>   approach. It certainly is possible, but might be too
>   time-consuming. If adjusting Wald fails, we could use a
>   workaround: A simple proxy or TCP forwarder in front of Wald, but
>   at that time, Wald was under heavy load and we did not want to add
>   extra overhead for a workaround. Since then we upgraded to more
>   powerful hardware, so this might be possibility for the future.
> 
> * Why don't we simply use SNI to present different certificates?
> 
>   1. Same reasons as above: We need to adjust the FusionForge
>      templating or add a proxy/forwarder as a workaround.
>   2. SNI has only very recently become supported by most browsers
>      and there is still some software that does not support SNI:
>      - Internet Explorer on Windows XP (should not be relevant
>        anymore, but unfortunately it is)
>      - older wget (as included in the still supported Debian wheezy)
>      - Python before 2.7.9 (again Debian wheezy)
>      - Mercurial before version 3.3 (Debian jessie has 3.1.2)
>      - Java 6 (even at the current patch level)
>      - Not sure if Android 2.x still counts, but I mention it for
>        completeness
> 
>   I want to use SNI in the future, but I assume this still has to
>   wait a bit for getting Windows XP with IE usage below 1% and
>   maybe even Debian jessie becoming oldstable.
> 
> 
> = The proposed next step for gpg4win =
> 
> My plan is to buy a certificate with the following SAN entries:
> 
>   www.gpg4win.org (main address)
>   www.gpg4win.de
>   gpg4win.org
>   gpg4win.de
>   files.gpg4win.org
>   files.gpg4win.de
> 
> With a lifetime of three years, this will cost us 640€ for a
> certificate from GeoTrust (see below for why we use GeoTrust).
> 
> The certificate will be installed on the server that currently hosts
> files.gpg4win.org, so downloads from there will immediately become
> trusted without importing Intevation's CA.
> 
> I will upgrade the server so it can offer TLS1.2, like Wald already
> does.
> 
> As the content of www.gpg4win.org is generated into static files,
> moving the gpg4win website to this server is easy. Updating the
> website can be done by the same people who can publish new releases,
> but others can be added if needed, too.
> 
> If there are no objections, I can start with this.
> 
> 
> = Future steps =
> 
> The mailing lists are currently hosted on Wald. As most mails sent
> to and received from the list are transferred via unprotected SMTP
> connections, having SSL would be nice (especially for the Mailman
> web interface), but is less important than website and downloads.
> 
> A possible solution could be to move the mailing lists to
> lists.gnupg.org, which already provides a certificate signed by a CA
> known to modern browsers.
> 
> But this would not solve secure access to the web forums on Wald and
> most solutions for the forums would also provide a solution for the
> mailing list.
> 
> I assume the most appropriate solution would be to buy a wildcard
> certificate for Wald, which would cost 1380€ for three years for the
> certificate and the additional required IPv4 IP, and solve or
> work around the FusionForge templating mechanism.
> 
> 
> = Comments on alternative CAs =
> 
> Yes, there are cheaper CAs than GeoTrust, but it has some benefits
> that others can't offer us:
> 
> - It is a well-known CA that is accepted by all relevant browsers
>   and other https clients.
> - A German reseller that sends us a single invoice for all
>   certificates we have bought, so our accounting does not run into
>   issues or has to pay a separate invoice for each certificate.
>   Despite having our own CA, we have bought many certificates for
>   customers and some of our other servers.
> - Because of this it can't happen that our credit card gets charged
>   beyond the monthly limit and will leave our CEO stranded somewhere :)
> - If things go wrong, we can call a real human!
> - We can buy certificates for domains or subdomains, that we do not
>   own. This applies to the gpg4win domains, too. GeoTrust will
>   contact the owner and ask for permission.
> - It is not Comodo, see e.g.
>   https://en.wikipedia.org/wiki/Comodo_Group#Certificate_hacking
>   so it is less likely that your sysadmin has marked it as
>   untrusted.
> - It is still cheaper than some other CAs which offer a similar
>   level of quality.
> 
> 
> Whew! That was long. Thanks for reading (or skimming). Feel free to
> contact me via this list (I subscribed some weeks ago) if you have
> questions or comments.
> 
> Regards,
> Thomas Arendsen Hein
> 
Hi Thomas,

This is great news! Thanks for updating the community on these important
steps, looking forward to the website and downloads having this new cert.

Michael

-- 
Michael Carbone
Manager of Security Education
Digital Security Helpline
Access | https://www.accessnow.org

GPG fingerprint: 2DBE 2014 E7B0 0730 303D 7AAB 99AB 0624 6EEB F5A8


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151015/80279169/attachment.sig>

More information about the Gpg4win-users-en mailing list