[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: cobalt-security digest, Vol 1 #680 - 4 msgs

Subject: [cobalt-security] Re: cobalt-security digest, Vol 1 #680 - 4 msgs
From: "A2ZUniforms.com" <sales@xxxxxxxxxxxxxxx>
Date: Thu, 21 Feb 2002 15:18:39 -0600
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
That seems to be a fair tradeoff.  If you want to have a cert from a
U.S. company that knows who you are beyond a shadow of a doubt before
issuing the cert, buy from Verisign, for somewhere around us$350 or so.
If you want to buy from a South African company that does less in the
way of due diligence and charges less, buy from Thawte for us$125.  If
you want to buy a GeoTrust cert from a company that verifies you can be
reached at your domain and that you have the rights to the domain as
enumerated in your registrar's whois database, buy from me for us$99
<smile>.

[ I thought Verisign owned Thawte - maybe I missed something way back ]

He says that GeoTrust sells wildcard certs on a per-server basis, but
hasn't given me a price on a cert good for 250 subdomains on one RaQ4; I
bet it's going to be over $400 that you can get from GeoTrust.

[ I called Geo Trust and the Wildcard is $500 not $400 and it is for
unlimitted
subdomains.  Just wanted to pass that on]


----- Original Message -----
From: <cobalt-security-request@xxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Thursday, February 21, 2002 2:22 PM
Subject: cobalt-security digest, Vol 1 #680 - 4 msgs


Send cobalt-security mailing list submissions to
cobalt-security@xxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
http://list.cobalt.com/mailman/listinfo/cobalt-security
or, via email, send a message with subject or body 'help' to
cobalt-security-request@xxxxxxxxxxxxxxx

You can reach the person managing the list at
cobalt-security-admin@xxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cobalt-security digest..."


Today's Topics:

   1. Re: self signed certificate warnings (Jeff Lasman)
   2. Re: self signed certificate warnings (Jeff Lasman)
   3. Re: Securing Admin Pages (Jeff Lasman)
   4. Re: self signed certificate warnings (AYoung@Home)

--__--__--

Message: 1
Date: Thu, 21 Feb 2002 10:27:24 -0800
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Organization: nobaloney.net
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] self signed certificate warnings
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Eugene Crosser wrote:

> Usually you do not need a wildcard certificate.  This is not
> advertized, but browsers (most of them?) do a "suffix match"
> on the CNAME.  That is, purchase a certificate for "xyz.com",
> and use it on the servers abc.xyz.com, def.xyz.com,
> ghi.xyz.com - browsers will think that the name matches OK.

Eugene,

Please let us know which browsers do this; it's not enough to know that
"browsers" will break the rules when it comes to domain certification.

In fact it's dangerous behavior; I'd not want to use a browser that did
it.

> But I was talking about a *different* thing: that you can
> buy a certificate that entitles you as a ("local") CA,
> so that you can issue site certificates yourself.

That's a lot of money.  The last time I looked it was over us$10,000.

> I'd like to add that this whole CA business makes
> me uneasy.  Essentially, it is about making money out of
> thin air (noticable income for a thing that requires near
> zero work).  As such, it inevitably attracts the lovers
> of easy money rather than trustworthy businesses.  Which
> defeats the whole idea of a CA as a 100% trusted entity.

When Verisign first went into the business they earned their money; they
went through a lot of hoops to make sure the company was who it says it
was.

Now Thawte does less and charges less.  GeoTrust does still less and
charges still less.

That seems to be a fair tradeoff.  If you want to have a cert from a
U.S. company that knows who you are beyond a shadow of a doubt before
issuing the cert, buy from Verisign, for somewhere around us$350 or so.
If you want to buy from a South African company that does less in the
way of due diligence and charges less, buy from Thawte for us$125.  If
you want to buy a GeoTrust cert from a company that verifies you can be
reached at your domain and that you have the rights to the domain as
enumerated in your registrar's whois database, buy from me for us$99
<smile>.

Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484

--__--__--

Message: 2
Date: Thu, 21 Feb 2002 10:30:07 -0800
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Organization: nobaloney.net
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] self signed certificate warnings
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Matthew Nuzum wrote:

> Thanks, these are some good points.
> I am open to a wildcard cert for $400, and asked that if anyone had a
> recommendation, to give it.

Did you get the spam from the guy at Thawte who reads the list?  I've
written him back and asked him to prove his product is better.  He says
I can get Thawte certs for only a dollar more, but if I buy them for a
dollar more I couldn't sell them for the same, now could I <smile>.

He says that GeoTrust sells wildcard certs on a per-server basis, but
hasn't given me a price on a cert good for 250 subdomains on one RaQ4; I
bet it's going to be over $400 that you can get from GeoTrust.

> As far as this "local" ca is concerned, I am creating a somewhat "low
> end" solution here and simply want to avoid some of the error messages
> people are getting.

Exactly.  I've never ran into a client that cares who the cert is issued
by as long as it works.

Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484

--__--__--

Message: 3
Date: Thu, 21 Feb 2002 10:47:35 -0800
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Organization: nobaloney.net
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Securing Admin Pages
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Declan Caulfield wrote:

> However, this offers just a little more security, as if you sniff the
admin
> password and use it to log in to the admin pages via HTTP:81 a would be
> hacker can change both the root and admin passwords using the
Administrator
> button.

Why would you or anyone send your password in clear text when all you
have to do is self-issue a cert to get 128-bit ssl protection?

> Rule of thumb, change your admin password regularly.

Rule of thumb, don't use http; use a secure cert (even a self-signed
one) and https.

Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484

--__--__--

Message: 4
Date: Thu, 21 Feb 2002 14:06:15 -0500
Subject: Re: [cobalt-security] self signed certificate warnings
From: "AYoung@Home" <ayoung78@xxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

on 2/21/02 1:27 PM, Jeff Lasman at jblists@xxxxxxxxxxxxx wrote:

> When Verisign first went into the business they earned their money; they
> went through a lot of hoops to make sure the company was who it says it
> was.
>
> Now Thawte does less and charges less.  GeoTrust does still less and
> charges still less.
>
> That seems to be a fair tradeoff.  If you want to have a cert from a
> U.S. company that knows who you are beyond a shadow of a doubt before
> issuing the cert, buy from Verisign, for somewhere around us$350 or so.
> If you want to buy from a South African company that does less in the
> way of due diligence and charges less, buy from Thawte for us$125.  If
> you want to buy a GeoTrust cert from a company that verifies you can be
> reached at your domain and that you have the rights to the domain as
> enumerated in your registrar's whois database, buy from me for us$99
> <smile>.
>
Actually Thawte was bought out by Verisign in either 1999 or 2000.  You can
read about the Thawte/Verisign merger.

http://thawte.com/corporate/vsfaq.html

Alisa



--__--__--

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security


End of cobalt-security Digest
Prev by Date: Re: [cobalt-security] self signed certificate warnings
Next by Date: Re: [cobalt-security] Securing Admin Pages
Previous by thread: Re: [cobalt-security] Securing Admin Pages
Next by thread: [cobalt-security] self issue of certificates
Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index