XTension build 943 version 8.9.1

ned+xtension at mrochek.com ned+xtension at mrochek.com
Sun Sep 11 23:19:25 EDT 2016 

> The problem is that setting up a signed certificate is just not easy.

That used to be true, but things have improved tremendously. These days the
prices and verification procedures are such that it should be possible to get
your own domain and associated signed certificate for around $20 a year.

> It’s not designed for our sort of situation. I’m experimenting with a $10 a
> year company now that I think will eventually work, but the process won’t be
> as automated as creating a self signed certificate. It will require steps like
> enabling the built in web server on MacOSX Server and putting a test file in
> there for the certificate company to hit and verify that you actually have
> access to the server dns name in question.

I've experimented with Let's Encrypt, which works this way, and found it to be 
rubbish - and that's allowing for the fact that it  gets you a certificate for
free.

Absent other considerations, I most certainly would not use a product that
works this way to get a certificate costing $20 when a Comodo PositiveSSL
certificate only costs $9/year. Moreover, the verification process for Comodo
certificates is email-based and trivial to execute.

I'm currently using such certificates for two different domains I serve with
MAMP PRO. The process of setting them up really could not have been much
simpler: Create the certificate request using openssl, fill in a web form to
buy the certificate, reply to an email, go get the cert, plop it in a file,
point the server at the file.

This is to say there can't be issues with inexpensive certificates, e.g,,
trying to handle multiple domains with a single email server, or even multiple
domains on a single web server with clients that don't support SNI. But unless
I'm missing something, your usage doesn't have these sorts of problems to deal
with.

> There is also the problem about the IP address that it’s linked to not
> changing. Again certs are only really meant for regular servers with static IP
> addresses and I’m not sure what will happen when our IP addresses change.

I assume you're talking about dynamic DNS. If so, I don't see the problem -
people use certificates with dynamic DNS all the time.

Generally speaking a certificate demonstrates some degree of authority over a
domain, completely independent of IP address. 

> It may be time to start looking at an XTension cloud solution to all this
> garbage that would SSL tunnel through all this garbage or remote connections.
> Future versions of iOS will be refusing to allow apps that don’t support SSL
> at all.

If Apple is silly enough to actually make SSL a requirement on all connections
made by iOS apps it will be past time to dump iOS in favor of Android. (As it
stands I won't be upgrading my iPhone to a 7 or higher because I refuse to buy
a phone that doesn't have a built=in analog audio output. So my iPhone days are
numbered in any case.)

It's true that SSL/TLS answers a lot of security needs. But it does not and
cannot answer every security need, and anyone who claims it does is a fool.

> So I have no idea yet what the final solution to all this will be, but
> at the moment you cannot use Safari to watch saved off video clips over an
> https connection. All browsers work fine with a non-encrypted connection.
> Chrome and Firefox work fine with a self signed cert. There is nothing I can do
> about that in the very short term, though if the signed cert for $10 a year
> works out I will provide tools to ease that install but it’s still going to
> be a pain.

Unfortunately, this is far from the only problem with using self-signed
certificates. A good example of another problem is the arcane process needed to
install them permanently in some versions of IE.

The bottom line is that the security community has managed to gull enough
people into thinking that self-signed == bad in all cases that this is only
going to get worse over time.

The good news is that competition among certificate authorities has finally
driven the prices down to the point where most people can afford them and
the validation procedures aren't overly onerous.

The irony, of course is that  this means the actual protection offered by a
CA-signed certificate has also dropped significantly.

				Ned

More information about the XTensionList mailing list