Switch the SSL cert used by clueless to one signed by startssl (or other)

As per http://ideas.aaisp.net.uk/?ia=17940 which suggests a paid-for SSL certificate, certificates from http://www.startssl.com/ are far more widely accepted than those signed by cacert.com (see http://en.wikipedia.org/wiki/Startssl#Trustedness for more detail) and are equally free of financial cost.

While adding a per-cert exception for the current certificate is easy in most browsers, that doesn't help people behind proxies that may completely block responses covered by certificates signed by CAs not on their list and a certificate from a source trusted by the OS/browser is technically more secure.

Dave , 15.11.2011, 14:16

Idea status: completed

Comments

Simon Arlott, 16.11.2011, 05:44

Instead of doing this (because the vast number of CAs are becoming a security problem), implement support for DNSSEC so that you're ready for TLSA as soon as it becomes available.

aaisp, 11.01.2013, 14:47

Clueless (the control/ordering system) now has a non-cacert certificate.

We have an on going project which is looking at how we support dnssec - our customer facing resolvers do DNSSEC validation already.

Without registration

Name		Required
e-mail		Required

Login		Use 3 to 18 characters, Latin characters or numbers	This login is not availableThis login is available
e-mail
Password		Use 3 to 18 characters, Latin characters or numbers
Re-type password
	Remember me

	Sign up

Login
Password		Forgot your password?
	Remember me


E-mail

Switch the SSL cert used by clueless to one signed by startssl (or other)

Comments

Leave a comment