[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites
Michael Carbone
michael at accessnow.org
Thu Oct 15 18:19:23 CEST 2015
Thomas Arendsen Hein:
> Hi!
>
> There has been some discussion about SSL/TLS certificate that are
> automatically accepted by usual web browsers on this list (and
> elsewhere).
>
> TL;DR: We want to switch to a commercial SSL certificate for
> the gpg4win web and download services soon. Mailing list and forum
> will not yet be changed.
>
>
> = The current situation =
>
> The current certificate is provided by our own CA, which is not
> known by most browers unless the root certificate is imported from
> https://ssl.intevation.de/
>
> * Why don't we just buy a certificate?
>
> We currently have to do this, because the certificate includes
> over 40 SAN entries (including a wildcard entry) in a single
> certificate: wald.intevation.org, *.wald.intevation.org and many
> entries for the projects hosted on Wald.
>
> I'm not aware of any commercial CA that offers such certificates,
> I have only found CAs which offer 24 SAN entries, and then they
> don't allow wildcard entries.
>
> * Why don't we simply use more IPs?
>
> IPv4 IPs are a scarce resource, we don't want to waste them. But
> we tried adding some extra IPs to our Wald server to have separate
> SSL certificates for the most important services:
> - *.wald.intevation.org and wald.intevation.org
> - the 4 gpg4win hostnames currently hosted on Wald (gpg4win.org,
> gpg4win.de and both prefixed with "www.")
> - everything else (using a certificate signed by our own CA, like
> the current one)
>
> The main problem here was the templating mechanism of FusionForge
> for the web server configuration files for Wald. Some early
> attempts to adjust this failed, and because or admin capacities
> were needed in other projects, we did not continue with this
> approach. It certainly is possible, but might be too
> time-consuming. If adjusting Wald fails, we could use a
> workaround: A simple proxy or TCP forwarder in front of Wald, but
> at that time, Wald was under heavy load and we did not want to add
> extra overhead for a workaround. Since then we upgraded to more
> powerful hardware, so this might be possibility for the future.
>
> * Why don't we simply use SNI to present different certificates?
>
> 1. Same reasons as above: We need to adjust the FusionForge
> templating or add a proxy/forwarder as a workaround.
> 2. SNI has only very recently become supported by most browsers
> and there is still some software that does not support SNI:
> - Internet Explorer on Windows XP (should not be relevant
> anymore, but unfortunately it is)
> - older wget (as included in the still supported Debian wheezy)
> - Python before 2.7.9 (again Debian wheezy)
> - Mercurial before version 3.3 (Debian jessie has 3.1.2)
> - Java 6 (even at the current patch level)
> - Not sure if Android 2.x still counts, but I mention it for
> completeness
>
> I want to use SNI in the future, but I assume this still has to
> wait a bit for getting Windows XP with IE usage below 1% and
> maybe even Debian jessie becoming oldstable.
>
>
> = The proposed next step for gpg4win =
>
> My plan is to buy a certificate with the following SAN entries:
>
> www.gpg4win.org (main address)
> www.gpg4win.de
> gpg4win.org
> gpg4win.de
> files.gpg4win.org
> files.gpg4win.de
>
> With a lifetime of three years, this will cost us 640€ for a
> certificate from GeoTrust (see below for why we use GeoTrust).
>
> The certificate will be installed on the server that currently hosts
> files.gpg4win.org, so downloads from there will immediately become
> trusted without importing Intevation's CA.
>
> I will upgrade the server so it can offer TLS1.2, like Wald already
> does.
>
> As the content of www.gpg4win.org is generated into static files,
> moving the gpg4win website to this server is easy. Updating the
> website can be done by the same people who can publish new releases,
> but others can be added if needed, too.
>
> If there are no objections, I can start with this.
>
>
> = Future steps =
>
> The mailing lists are currently hosted on Wald. As most mails sent
> to and received from the list are transferred via unprotected SMTP
> connections, having SSL would be nice (especially for the Mailman
> web interface), but is less important than website and downloads.
>
> A possible solution could be to move the mailing lists to
> lists.gnupg.org, which already provides a certificate signed by a CA
> known to modern browsers.
>
> But this would not solve secure access to the web forums on Wald and
> most solutions for the forums would also provide a solution for the
> mailing list.
>
> I assume the most appropriate solution would be to buy a wildcard
> certificate for Wald, which would cost 1380€ for three years for the
> certificate and the additional required IPv4 IP, and solve or
> work around the FusionForge templating mechanism.
>
>
> = Comments on alternative CAs =
>
> Yes, there are cheaper CAs than GeoTrust, but it has some benefits
> that others can't offer us:
>
> - It is a well-known CA that is accepted by all relevant browsers
> and other https clients.
> - A German reseller that sends us a single invoice for all
> certificates we have bought, so our accounting does not run into
> issues or has to pay a separate invoice for each certificate.
> Despite having our own CA, we have bought many certificates for
> customers and some of our other servers.
> - Because of this it can't happen that our credit card gets charged
> beyond the monthly limit and will leave our CEO stranded somewhere :)
> - If things go wrong, we can call a real human!
> - We can buy certificates for domains or subdomains, that we do not
> own. This applies to the gpg4win domains, too. GeoTrust will
> contact the owner and ask for permission.
> - It is not Comodo, see e.g.
> https://en.wikipedia.org/wiki/Comodo_Group#Certificate_hacking
> so it is less likely that your sysadmin has marked it as
> untrusted.
> - It is still cheaper than some other CAs which offer a similar
> level of quality.
>
>
> Whew! That was long. Thanks for reading (or skimming). Feel free to
> contact me via this list (I subscribed some weeks ago) if you have
> questions or comments.
>
> Regards,
> Thomas Arendsen Hein
>
Hi Thomas,
This is great news! Thanks for updating the community on these important
steps, looking forward to the website and downloads having this new cert.
Michael
--
Michael Carbone
Manager of Security Education
Digital Security Helpline
Access | https://www.accessnow.org
GPG fingerprint: 2DBE 2014 E7B0 0730 303D 7AAB 99AB 0624 6EEB F5A8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151015/80279169/attachment.sig>
More information about the Gpg4win-users-en
mailing list