Labels

R (15) Admin (12) programming (11) Rant (6) personal (6) parallelism (4) HPC (3) git (3) linux (3) rstudio (3) spectrum (3) C++ (2) Modeling (2) Rcpp (2) SQL (2) amazon (2) cloud (2) frequency (2) math (2) performance (2) plotting (2) postgresql (2) DNS (1) Egypt (1) Future (1) Knoxville (1) LVM (1) Music (1) Politics (1) Python (1) RAID (1) Reproducible Research (1) animation (1) audio (1) aws (1) data (1) economics (1) graphing (1) hardware (1)

13 June 2013

Secure webserver on the cheap: free SSL certificates

Setting up an honest, fully-certified secure web server (e.g. https) on the cheap can be tricky, mainly due to certificates. Certificates are only issued to folks who can prove they are who they say they are. This verification generally takes time and energy, and therefore money. But the great folks at https://www.startssl.com/ have an automated system that verifies identity and auto-renders associated SSL certificates for free.

Validating an email is easy enough, but validating a domain is trickier -- it requires a receiving mailserver that startssl can mail a verification code to. Inbound port 25 (mail server) is blocked by my ISP, the University of New Mexico (and honestly, I'd rather not run an inbound mail server).

I manage my personal domain through http://freedns.afraid.org/. They provide full DNS management, as well as some great dynamic DNS tools. They're wonderful. But they don't provide any fine-grained email management, just MX records and the like.

The perfect companion of afraid.org is https://www.e4ward.com/. They have mail servers that will conditionally accept mail for specific addresses at personal domain, and forward that mail to an email account. This lets me route specific addresses @mydomain.com, things like postmaster@mydomain.com, to my personal gmail account. E4ward is a real class-act. They manually moderate/approve new accounts, so there's a bit of time lag. To add a domain, they also require proof of control via a TXT record (done through afraid.org).

This whole setup allowed me to prove that I owned my domain to startssl.com without running a mail server or paying for anything other than the domain. The result is my own SSL certificates. I'm running a pylons webapp with apache2 and mod_wsgi. In combination with python's repoze.what, I get secure user authentication over https without any snakeoil.

Hat-tip to this writeup, which introduced me to e4ward.com and their mail servers.

Finally, there are a number of online tools to query domains. dnsstuff.com was one of the better ones I found. It takes longer to load, but gives a detailed report of domain configuration, along with suggestions. A nice tool to verify that everything is working as expected.


5 comments:

  1. I like StartSSL a lot. They're by far the least oily of the snakeoil resellers. Personal identity validation can be difficult if you don't fit a 95% profile (e.g. can't send them a phone bill), and they're not very open about what their validation entails, but since they take snakeoil seriously I can appreciate that somewhat. And if snakeoil is ever going to be legit, someone needs to take it seriously in the way that StartSSL does, instead of in the way that Verisign does.

    I actually enjoy running mail and DNS, but lately I've been using Amazon AWS Route53 for the latter. Like. Seems like it would handily address this problem.

    ReplyDelete
    Replies
    1. I admit, I'm a little terrified of running a DNS, due to complexity & vulnerability issues. I'm a big fan of AWS in general, but I haven't kept up with it lately, and Route53 is new to me (and looks interesting). Based on a quick look, it seems like the cost per month is a little non-trivial (e.g. constantly running instance)?

      I think it's fair to say that StartSSL certificates aren't snakeoil at all. They're very clear on exactly what sort of validation is used for which steps. Of course, control-of-domain & control-of-email-address isn't very high-level validation. But we've see examples of how even higher levels of validation can be spoofed (or bypassed)...

      Thanks for the comment!

      Delete
    2. I found it very difficult to order at StartSSL - and finally gave it up. Personally, I also would not use StartSSL for commercial purpose (e.g. a webshop) but rather go with one of the well known brands (GeoTrust, Thawte).

      Domain validated SSL certificates are quite cheap if you buy via a reseller - e.g. around US$ 10 for a RapidSSL certificate from https://www.sslpoint.com

      Delete
  2. I should qualify my remarks about "snakeoil". I think most PKI is superficial and doesn't provide real value above what self-signing would provide. It's the trust factor that I find sketchy, for most purposes. But if more vendors worked the way StartSSL does, and were as reasonable, the whole business would be a lot more legit and I'd have little interest in complaining about it. It's a dirty industry, but StartSSL could change that with enough market share, and I encourage everyone to use them who needs paid-for certs.

    Cost to run your own BIND (or TinyDNS, etc) in EC2 would be a pretty penny, but Route53 gives you a decent interface to manage your zone, and costs regular people about $1/mo - you're just riding on their DNS infrastructure instead of renting a VM (as with EC2). It's $0.50/mo just to have your first 25 domains, and another $0.50/mo per million queries. Most domains don't generate a million queries per month to DNS, so for folks like us it's basically a buck a month for a highly resilient, easy to manage DNS.

    For my own amusement I've been writing tools to the Route53 API so I can manage zones from the command line, but the web UI is pretty good.

    ReplyDelete
  3. I agree, for free ssl certificate startssl is good but when we want to increase the web security we have to purchase SSL Certificate from the trusted certification authorities. And agree with above comments for re-sellers prices. Re-sellers are selling cheap ssl certificates than the brand itself, i also found one of such re-seller who sold cheap rapidssl certificate at dirt price something around $6/yr, ya i was also surprised when i have seen at https://cheapsslsecurity.com/rapidssl/rapidsslcertificate.html

    ReplyDelete