HostvixSep 18

All certs give the same encryption — the real differences are in identity checks, automation, support, and compliance.

DV with Let’s Encrypt is perfect for most. OV/EV only matter if policy, contracts, or enterprise governance demand it.

https://hostvix.com/free-vs-paid-ssl-what-you-need-to-know/

#ssl #tls #encryption #websecurity #letsencrypt #hosting #webdev #devops #sysadmin #infosec #pkix #https #cloud #opensource #domain #sslcertificate #webhosting #security #it #cybersecurity

Free vs. Paid SSL - What You Need to Know - Hostvix

If you’re skimming: all public-trusted SSL/TLS certificates give you the same encryption. What differs is identity vetting, support/tooling, and sometimes a warranty from the certificate authority (CA). Browsers no longer show the old EV “green bar” or company name in the address bar; users just see a lock/tune icon and the domain. Below I’ll walk...

Hostvix
Show threadStéphane BortzmeyerDec 19, 2022

@blequerrec Il y a donc des gens qui n'ont pas lu https://www.bortzmeyer.org/tester-expiration-certifs.html ?

#TLS #certificat #X509 #PKIX

Blog Stéphane Bortzmeyer: Surveillez les dates d'expiration de vos certificats X.509 !

Stéphane BortzmeyerMay 7, 2021

Tiens, envoyer un certificat #PKIX au serveur depuis un programme #Python est bien plus simple que je ne pensais. (C'est peut-être pour ça qu'il n'y a aucune documentation.)

#TLS

Stéphane BortzmeyerJul 23, 2020

Et ce matin, une Autorité de Certification basque a cassé le site Web de La Poste.

#mondialisation #X509 #PKIX #vieDeLinternet

Stéphane BortzmeyerMar 12, 2020

J'aime tant les certificats numériques que je trouve cette idée, créer automatiquement plein de certificats ayant une très courte durée de vie, sympa.

#RFC 8739: Support for Short-Term, Automatically-Renewed (#STAR) Certificates in Automated Certificate Management Environment (#ACME)

https://www.bortzmeyer.org/8739.html

#PKIX #X509

Blog Stéphane Bortzmeyer: RFC 8739: Support for Short-Term, Automatically-Renewed (STAR) Certificates in Automated Certificate Management Environment (ACME)

Masanori OginoJul 15, 2019
RFC 8603 - Commercial National Security Algorithm (CNSA) Suite Certificate and Certificate Revocation List (CRL) Profile https://prismo.fedibird.com/posts/aeb332cc-01e7-4a18-9d50-e5fd96fb25da
RFC 8603 - Commercial National Security Algorithm (CNSA) Suite Certificate and Certificate Revocation List (CRL) Profile

Stéphane BortzmeyerMar 11, 2019

Ah, et un bot Fediverse qui afficherait tous les nouveaux certificats enregistrés par les journaux CT, avec lien vers crt.sh. Par exemple, creperiecalanaise.bzh vient de renouveler le sien.

#PKIX #X509 #projet #TODO #spam #lanceDincendie https://crt.sh/?id=1275378746 https://www.bortzmeyer.org/6962.html

crt.sh | 1275378746

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

Stéphane BortzmeyerFeb 26, 2019
Bon, ben l'AC Comodo n'a *pas* révoqué les certificats émis pendant l'attaque contre les noms de domaine. C'est pas bien. (Surtout qu'ils sont valables un an.) #PKIX
Show threadCreideikiDec 29, 2018
What I ended up doing was publish #PKIX-TA assertions for the #LetsEncrypt root certificate in #DNSSEC, and hope that it doesn't change too often. Because they don't bother publishing a policy. This means anyone who can fool #LetsEncrypt can publish fake certificates for my domain, but at least random governments and enterprise #TLS #MITM boxes can't.
Show threadCreideikiDec 29, 2018
DANE support is basically nonexistent. By default, #Certbot generates a new key every time it renews a certificate, meaning #DANE-EE and #PKIX-EE requires manual intervention every single time. Since a few months back, you can tell #Certbot to keep the same key forever, but should you want to do key rollover less frequently you get to handle #DANE-EE and #PKIX-EE manually anyway.