I am in the process of upgrading my personal/business web server to use SSL. In the setup process I am being asked whether to use domainname or www.domainname . I can see benefits of both and thus I can see that which one I chose will have down sides for the other. Just wiped out a discussion paragraph arguing with myself the pros and cons... Any thoughts on which way to go? { quote from request: Your SSL certificate will be ordered with and will work only with the hostname which you provide to us, it is not a wildcard certificate. For example if you ask us to make the certificate for https://www.yourdominname.com , your SSL will not work when you use https://yourdomainname.com and vice versa. Please make sure you provide us with the correct hostname for your certificate! } Cheers Mike
MikeH via luv-talk <luv-talk@luv.asn.au> wrote:
Any thoughts on which way to go?
Two suggestions: 1. I think you can specify multiple domains in the relevant field of your x.509 certificate, but I would need to look up the details. 2. Wildcard domains are also available, as in *.example.org, which match subdomains. I think the first option would be better as it allows only the exact domains that you specify.
I had already purchased the facility and now can see that they only allow one domain. In which case I think I'll go without the WWW at the moment and see what happens. I have been experimenting with list-servers as they are built in paid for but overlooked them before. On 31/05/16 08:15, Jason White via luv-talk wrote:
MikeH via luv-talk <luv-talk@luv.asn.au> wrote:
Any thoughts on which way to go?
Two suggestions:
1. I think you can specify multiple domains in the relevant field of your x.509 certificate, but I would need to look up the details.
2. Wildcard domains are also available, as in *.example.org, which match subdomains.
I think the first option would be better as it allows only the exact domains that you specify.
_______________________________________________ luv-talk mailing list luv-talk@luv.asn.au https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-talk
On Thu, 2 Jun 2016 03:33:10 PM MikeH via luv-talk wrote:
I had already purchased the facility and now can see that they only allow one domain. In which case I think I'll go without the WWW at the moment and see what happens.
They usually only allow one DNS name so they can make you pay more for a second or for a wildcard certificate. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Russell Coker via luv-talk <luv-talk@luv.asn.au> wrote:
They usually only allow one DNS name so they can make you pay more for a second or for a wildcard certificate.
That's why letsencrypt.org and similar initiatives are long over due and also valuable. I would only pay for a certificate that had a real identity verification service behind it (requiring, e.g., presentation of government-approved ID).
I submitted the request last night. Maybe it takes a few days to activate. Big thanks for mentioning the letsencrypt.org website. I have been interested in this sort of thing for a while and attended a few talks about this. There seems to be a lot of white-magic meaning lots of people with different terms and views. Practical demos and experience are the sort of thing that help me most with accompanying diagrams - the links on the above website are useful and informative. It is a large project with quite a steep learning curve ... I'll share my experience when it happens. There is a parallel with email encryption - I have it on one of my addresses but the uptake is slow. I got part way through preparing a mini demo several months ago but ran out of steam. I use my website for sharing some ideas with selected groups and I have too many orphan pages (maybe at my vintage I have too many identities...) On 03/06/16 00:51, Jason White via luv-talk wrote:
Russell Coker via luv-talk <luv-talk@luv.asn.au> wrote:
They usually only allow one DNS name so they can make you pay more for a second or for a wildcard certificate.
That's why letsencrypt.org and similar initiatives are long over due and also valuable.
I would only pay for a certificate that had a real identity verification service behind it (requiring, e.g., presentation of government-approved ID).
_______________________________________________ luv-talk mailing list luv-talk@luv.asn.au https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-talk
On Fri, 3 Jun 2016 08:43:24 AM MikeH via luv-talk wrote:
I submitted the request last night. Maybe it takes a few days to activate. Big thanks for mentioning the letsencrypt.org website. I have been interested in this sort of thing for a while and attended a few talks about this. There seems to be a lot of white-magic meaning lots of people with different terms and views. Practical demos and experience are the sort of thing that help me most with accompanying diagrams - the links on the above website are useful and informative.
At the last committee meeting we discussed some changes to the Beginners' SIG that you may appreciate (I'll let Andrew announce the details). At the next Beginners' SIG someone could help you setup letsencrypt. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Jason White via luv-talk wrote:
Russell Coker via luv-talk <luv-talk@luv.asn.au> wrote:
They usually only allow one DNS name so they can make you pay more for a second or for a wildcard certificate.
That's why letsencrypt.org and similar initiatives are long over due and also valuable.
I would only pay for a certificate that had a real identity verification service behind it (requiring, e.g., presentation of government-approved ID).
Obligatory TOFU advocacy linkspam: https://blogs.fsfe.org/jens.lechtenboerger/2014/04/05/certificate-pinning-fo... https://blogs.fsfe.org/jens.lechtenboerger/2014/03/23/certificate-pinning-fo... https://blogs.fsfe.org/jens.lechtenboerger/2014/03/10/certificate-pinning-wi... http://ssrn.com/abstract=2249042
On Tue, 31 May 2016 07:47:12 AM MikeH via luv-talk wrote:
I am in the process of upgrading my personal/business web server to use SSL. In the setup process I am being asked whether to use domainname or www.domainname . I can see benefits of both and thus I can see that which one I chose will have down sides for the other.
Letsencrypt allows you to use both in the same certificate. Get SSL certificates for both and use a HTTP redirect from one of them to the other. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Hi, CA / PKI is completely broken; if you cannot run your own CA and apply it to all effected machines, then you are better off using letsencrypt. Now, given that many browsers get quite nasty with self-signed certificates, it is becoming less easy to use self-signed certs (even just for yourself). You can have up to 100 domains (including sub-domains) in the one certificate with letsencrypt. The domains included in a single cert can also be completely non-related to each other, but I prefer to keep them related myself (at least in some way). Certificates don't live for as long as a brought one, but that is actually a bonus. You can automatically schedule updates, but I prefer to do so manually. https://letsencrypt.org There are lots of guides available on the Internet. I use certificates for lots of domains and some of those being used for both web and email servers. I also now have a cert for my ejabberd setup, although Pidgin on Winblows doesn't have all the right upstream CAs that browsers do and therefore it fails to follow the chain fully and properly; therefore can't properly fully verify my cert by itself (I can verify it though myself). Anywhere that you might need a cert, you can almost certainly use one from letsencrypt. Michael wants me to do a talk at MLUG, but I'm not ready and I've got too many other things that I have to deal with. Perhaps I will end up doing a talk and sharing my scripts and methods for others. Kind Regards AndrewM
The purchased setup is complete. I now know about https://www.sslshopper.com/ I have been comparing : <domain-name> http://<domain-name> https://<domain-name> for a few known sites. There are some interesting differences. You mention Michael and MLUG - I have heard of MLUG. On 04/06/16 12:47, Andrew McGlashan via luv-talk wrote:
Hi,
CA / PKI is completely broken; if you cannot run your own CA and apply it to all effected machines, then you are better off using letsencrypt. Now, given that many browsers get quite nasty with self-signed certificates, it is becoming less easy to use self-signed certs (even just for yourself).
You can have up to 100 domains (including sub-domains) in the one certificate with letsencrypt. The domains included in a single cert can also be completely non-related to each other, but I prefer to keep them related myself (at least in some way). Certificates don't live for as long as a brought one, but that is actually a bonus. You can automatically schedule updates, but I prefer to do so manually.
There are lots of guides available on the Internet.
I use certificates for lots of domains and some of those being used for both web and email servers. I also now have a cert for my ejabberd setup, although Pidgin on Winblows doesn't have all the right upstream CAs that browsers do and therefore it fails to follow the chain fully and properly; therefore can't properly fully verify my cert by itself (I can verify it though myself). Anywhere that you might need a cert, you can almost certainly use one from letsencrypt.
Michael wants me to do a talk at MLUG, but I'm not ready and I've got too many other things that I have to deal with. Perhaps I will end up doing a talk and sharing my scripts and methods for others.
Kind Regards AndrewM
_______________________________________________ luv-talk mailing list luv-talk@luv.asn.au https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-talk
Andrew McGlashan via luv-talk wrote:
You can have up to 100 domains (including sub-domains) in the one certificate with letsencrypt.
FYI, IE7 only allows 9 dns_name attributes. Not sure about newer versions. Last tested 2011-04-28.
Anywhere that you might need a cert, you can almost certainly use one from letsencrypt.
Not for me; my servers are airgapped and letsencrypt design assumes the signing server is always reachable. :-)
On Mon, 6 Jun 2016 12:07:44 PM Trent W. Buck via luv-talk wrote:
You can have up to 100 domains (including sub-domains) in the one certificate with letsencrypt.
FYI, IE7 only allows 9 dns_name attributes. Not sure about newer versions. Last tested 2011-04-28.
IE7 is 10 years old, IE8 is 7 years old. https://etbe.coker.com.au/2016/02/02/compatibility-community-server/ Previously we had a discussion on the LUV lists about SSL compatibility and I also wrote a blog post on the topic. I was deciding whether it's worth supporting IE10 (which was 3 years old at the time) or whether it was reasonable to compel the use of IE11 (2 years old at the time). I don't think it's reasonable to support IE7 nowadays. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Hi, On 6/06/2016 12:07 PM, Trent W. Buck via luv-talk wrote:
FYI, IE7 only allows 9 dns_name attributes. Not sure about newer versions. Last tested 2011-04-28.
Seriously? No-one in their right mind whom knows anything about security and Winblows would ever use IE without extreme care and usually not for anything else but to download a different browser; too many choose the spy version in Chrome, not enough choose the privacy browser in Firefox -- of course there are other options, but IE is NOT one that should be used unless it is absolutely necessary and then it is painful for those that know. Every single month (almost if not), M$ has security updates for serious critical vulnerabilities; they are usually vuln' that would work on every current supported version of Windblows and versions that are no longer supported (the bad guys work out what has changed and the older versions are easily exploited). IE, like many programs / systems, has it's own lifecycle for support purposes -- most versions are history. https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer Oh and Edge was based on a point in time fork of the IE engine; so even though it has improvements, it has also seen security updates since release to patch critical vulnerabilities. The safest way to use IE is not to do so at all; have you download of Firefox available as an already downloaded installer for Winblows.... There are other reasons why SAN isn't applicable with older versions of Winblows too. XP doesn't support it from what I understand, but you aren't using XP are you? Surely. Cheers A.
Andrew McGlashan via luv-talk wrote:
Hi,
On 6/06/2016 12:07 PM, Trent W. Buck via luv-talk wrote:
FYI, IE7 only allows 9 dns_name attributes. Not sure about newer versions. Last tested 2011-04-28. Seriously?
No-one in their right mind whom knows anything about security and Winblows would ever use IE without extreme care and usually not for anything else but to download a different browser; too many choose the spy version in Chrome, not enough choose the privacy browser in Firefox
Actually whilst on the subject of browsers; what about Tor ?; seems to take a bit of time setting up a path and you can forget about gmail etc access; though Gumtree works OK. But the sooner sites, companies and government departments accept that there are many things; "they don't need to know " the better (I think ) regards Rohan McLeod
Hi, On 6/06/2016 1:36 PM, Rohan McLeod via luv-talk wrote:
Andrew McGlashan via luv-talk wrote:
On 6/06/2016 12:07 PM, Trent W. Buck via luv-talk wrote:
FYI, IE7 only allows 9 dns_name attributes. Not sure about newer versions. Last tested 2011-04-28. Seriously?
No-one in their right mind whom knows anything about security and Winblows would ever use IE without extreme care and usually not for anything else but to download a different browser; too many choose the spy version in Chrome, not enough choose the privacy browser in Firefox
Actually whilst on the subject of browsers; what about Tor ?;
Sure, and/or Firefox using Tor as the network with proxy settings; I do that normally -- fall back to Tor sometimes.
seems to take a bit of time setting up a path and you can forget about gmail etc access;
Well the biggest problem is cloudfare, they screw up the experience in a major way claiming that there is virtually only bad traffic on the Tor network. Many websites are difficult to visit and I often abandon them in frustration, the websites lose visitors then too. Tor is not just for bad people, sure they exist there, but they do in every community.
though Gumtree works OK.
They have had login compromises this year, been hacked.... hope you are using a good password that is unique to the site and have since changed it.
But the sooner sites, companies and government departments accept that there are many things; "they don't need to know " the better (I think )
Yes, the tracking and surveillance are both way over the top and not useful or at all warranted. A.
Andrew McGlashan via luv-talk wrote:
_______________________________________________ luv-talk mailing list luv-talk@luv.asn.au https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-talk
'By George' that was concise ! Rohan McLeod
Hi Rohan, On 10/06/2016 7:22 PM, Rohan McLeod via luv-talk wrote:
Andrew McGlashan via luv-talk wrote: 'By George' that was concise !
I didn't send a blank message, perhaps the archives will show it properly. Yep, looks good there: https://lists.luv.asn.au/pipermail/luv-talk/2016-June/003838.html Maybe your GPG changes are part of the problem.... I don't know. I won't sign this message, then it might help you see it if that is the problem. Kind Regards AndrewM
Andrew McGlashan via luv-talk wrote:
FYI, IE7 only allows 9 dns_name attributes. Not sure about newer versions. Last tested 2011-04-28.
Seriously?
Guys, I don't know the context in which you're using X.509. Maybe it's for a small business whose stupid customers actually use IE. You mentioned creating hundreds of dns_names in a single cert. I was simply pointing out that I TRIED THAT AND IT DIDN'T WORK due to limitations in the current IE at the time If your users don't use IE, or IE fixed this problem, that's great, move on.
On 7/06/2016 12:03 PM, Trent W. Buck via luv-talk wrote:
You mentioned creating hundreds of dns_names in a single cert. I was simply pointing out that I TRIED THAT AND IT DIDN'T WORK due to limitations in the current IE at the time
No, the limit for SANs is 100 I think, but then you need a modern browser of which IE7 is far from that. A.
participants (6)
-
Andrew McGlashan -
Jason White -
MikeH -
Rohan McLeod -
Russell Coker -
Trent W. Buck