[Nottingham] Free Libre encrypted connections (https) ?

[Mike Cardwell]

* on the Wed, Jan 20, 2016 at 12:57:46PM +0000, Andy Smith wrote:

>>> Rather than submit to the hegemony of the non-free closed (not always
>>> trustworthy) club of "certificate authorities", what freedom options do
>>> we have for encryptedly working with the main group of web browsers?
>> Well, there's letsencrypt. More than good enough for personal/project
>> use I'd say.
> 
> letsencrypt looks like the way forward for everyone right now.

+1 for letsencrypt. I shifted all of my websites over to them from
startssl a couple of months ago. They don't do wildcards or EV certs but
they will let you add lots of subjectAltNames. Check out the cert for my
site https://grepular.com and you'll see it supports 12 hostnames across
4 different domain names.

> There's also DANE, which is securing your DNS with DNSSEC and then
> putting the TLS data into the DNS, so is a means of eventually
> abolishing the CA cartel^Wmodel.
> 
>     https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
> 
> But that isn't really usable yet.

Install the Firefox addon from https://www.dnssec-validator.cz/ and visit
https://grepular.com and you'll see a nice little green box in your address
bar to let you know that the cert used matches the DANE/TLSA fingerprint
record I publish in the DNS (as long as you have DNSSEC support too).
I will admit that only a fraction of a fraction of a percent of web users
are affected by DANE/TLSA at this time though.
 
-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20160120/7b51ffb4/attachment.sig>