Setting up SSL on my server
This website now has a valid Class 1 SSL Certificate! And this came at no cost (monetarily) to myself, thanks to www.startssl.com. StartSSL gives away free Class 1 certificates to anyone who wants one and can verify ownership of a domain.
This wouldn't be a big deal in and of itself, as you can easily create your own certificate authority, site cert, and private key.
The reason it is important is that, unlike a personally crafted SSL certificate, StartSSL is a trusted Certificate Authority (CA) in all major browsers. So when a user browses to your site, they are transparently encrypted.
If you simply upload your own certificate, every user would see a trust warning and would have to manually accept the possible security problem. Not only does this require a user to know how to do that, it also requires that they disregard a possible man-in-the-middle attack, since this is the exact same warning that would show up if someone else created their own man-in-the-middle security certificate.
StartSSL verifies ownership of a domain by sending an email to the postmaster@yourdomain.com. Otherwise, you could sign up for any website certificate, and you would be able to perform your own man-in-the-middle attack without anyone knowing (that is, until one of the billion internet users realized this, and caused an uproar that would result in StartSSL being revoked as a trusted CA).
So why did I get a security certificate? Mainly because I could. I certainly don't plan on selling anything, and as of now I don't have any logins for users (other than myself). But it is fun knowing that I can browse to my brand new domain, hosted on my very own, self-managed VPS, and see an encrypted page with no security warning. It may be peanuts to a seasoned admin, but I'm having fun building my very own website and server from scratch.
Comments
Biff Martin
Sat, 09/09/2017 - 20:39
Permalink
You pooped in your own pool
You killed off StartCOM CA, so now you have to pay for your own certs.
Anonymous
Sat, 12/02/2017 - 09:05
Permalink
Or simply use LetsEncrypt
Or simply use LetsEncrypt