Since all of our HTTPD traffic is forced SSL, valid credentials are required to prevent visitors to Erowid.org and EcstasyData.org from seeing a very nasty error message when trying to access the sites. With an expiration date looming, it was time to renew Erowid.org’s low-end SSL certificate. Why low end? Because we consider the browser certificate authority to be an illegal global racket.
First, the good news. Check out our “A” rating from Qualys SSL Labs:
We mostly achieved this a couple of years ago when our sysadmin team worked to eliminate all of the basic problems, like removing support for dangerously weak encryption ciphers and forcing more secure handshake methods. But, if you look at the Qualys report, you’ll see that our server doesn’t allow the known-broken encryption algorithms.
And, as of today, we’re trying out a 4096 bit key. Many of the sites I looked at suggested that the CPU load cost of doing the key negotiation wasn’t worth the extra security, but JL, our main sysadmin, said we should give it a try. We’ll watch the server load over the next week or two, but right now it seems fine.
As far as the rant about the global criminal conspiracy that is the certificate authority, well, I will leave that to others. To be clear, I think it’s all a money scam, facilitated by the browser folks.
We choose to buy a cheap chained certificate because of the usurious pricing of the better, greener, happier certificates. They punish us by making the URL bar not as pretty and also making the certificate viewing experience worse. Despite the CSR having all the right info, the $50-100 per year wildcard-SSL certs don’t display our organization name or location properly. Pay $200-1000 per year and, with no additional security, we would get a happy-looking green bar and Erowid displayed in the browser URL bars.
Snake oil forever.
As I was searching for an example of an expensive green bar, I discovered that trying to view the front page of CNN via SSL resulted in terrifyingly bad browser behavior. It looks like a hijack (MTM) or just fails.
In early 2015, Erowid joined EFF’s HTTPS Everywhere campaign, because we believe that, today, virtually no communications should occur online in clear text. It is a sad statement about humanity that most of us, including institutions handling sensitive data about us, still use unencoded plaintext email that requires no warrant and is, essentially, a public broadcast.
P.S. In an insanely conspiratorial way, I believe that the NSA and other anti-public-crypto agencies have worked to torpedo efforts over the last twenty years to get email more secure. In the United States, a fig leaf of privacy is enough to trigger Fourth Amendment protections.
Today there is no need to buy expensive SSL certificates anymore, I am personally using letsencrypt.org that is backed by the likes of Facebook, Chrome, Mozilla, Shopify etc. It also gives me an A on SSL Labs. And best of all it is free.
Thanks for pointing that out!
We’ve been following the free certs, definitely. But it’s worth noting that, as of June 2016, none of the major orgs related to this actually use that free cert. Mozilla, Facebook, Chrome, Shopify, nor (perhaps most importantly) EFF. For orgs that take money through their own domains, it is still not considered good business practice.