19 comments

[ 2.5 ms ] story [ 55.8 ms ] thread
Does anyone know if it's true that root CAs pay browser vendors to include their certs in the browsers by default?
It is in the interest of browser vendors to do so, cash or not.
It depends. Some ask a payment others don't. They generally require an audit of the CA which is what is charged for. The audit is preferably done by an independent company specialize in such activity.

CACert provide free certificates and are trying hard to get their root CA certificate approved. By the time it takes I assume it is very difficult.

Do you know any details about the auditing process that the independent company would perform of a CA? Since the whole signing SSL business is built around keeping a 256-byte or so private key private then this file would probably be protected pretty well.
Complying with the audit is costly - both in direct costs to the auditors, and in implementing the infrastructure and policies and procedures to pass the audit.
I'd like to know how Mark Shuttleworth got the cert for Thawte included in Netscape (The company he later sold to Verisign for $575 Million).

I think Verisign was willing to pay so much because his certs were already grandfathered into the browsers, and it was too hard to just pay the browser companies directly.

i thought he (or someone in his company?) was one of the original people on the mailing list that helped develop how certificates should work in browsers. just was a matter of right place right time.
AFAIK it was him - having developed the first non-US 128 bit crypto capable SSL web server called Sioux (basically, Apache + SSLeay) he was on all the same mailing lists as the Netscape crypto guys.

He then realised that the certs were more interesting than the web servers, and sold off Sioux to Stronghold so he could position Thawte as a CA instead of a software vendor.

Then with the browser war on the go, MSIE3.0 copied Netscape Navigator, right down to the list of CAs included...

In 1999, Netscape started charging something like $100,000/year + $5000 per root cert, before there were any audit requirements. I think the idea was to weed out those who couldn't afford to run a CA worthy of browser inclusion.

I'm no longer in the SSL industry but I'm not aware of Mozilla charging. Perhaps it was dropped when Mozilla spun out of Netscape and the WebTrust audit came on the scene.

Pretty bog standard run-through-the-openssl-commands run down.

In my case, GoDaddy want to have 2048 (2KB) for the strength for the private key. For personal use, a key strenght of 1024 bits (1KB) would be sufficient.

1024 bits is not 1KB, 1024 bits is 128 bytes, or one eighth of a KB. 2048 bits is 256 bytes, or one quarter of a KB.

Doh! I got my bit-size math wrong. Thanks for pointing that out. Post is updated now.

Regarding your "Pretty bog standard run-through-the-openssl-commands run down", well, I spent quite a bit of Googling around and have yet run across any decent articles that explain what the heck all the commands mean. So I do hope my "run-through-the-openssl-commands-run-down" article helps someone clear up the confusion.

Or otherwise about an industry that rakes in huge profits by executing a few command on your .crt

I wonder when or if we will get a chance to see a community signed and trusted SSL certificate provider.

Not community, but there is http://cert.startcom.org/ .

You can also do your own (OpenSSL has everything you need).

And for a community one, you'd still need a verification mechanism and a protection mechanism for the roots; both of which could be hard to do in a volatile environment. http://www.cacert.org/ Seems to be that, don't think they are included in any browsers by default though (it's not in mine at least).

A little disappointed--I thought this was going to be a top-level explanation of how SSL works to protect data, but instead it was a step-by-step "how to buy a SSL cert for your server" that honestly wasn't even that clear or concise.
Sorry for making you dissapointment :) For this particular post, I didn't want to go into the nitty gritty details about public key cryptography. I'm more interesting in the practical application of SSL since there is truly a lack of a good general source to understand what's going on for applying a SSL cert and why exactly each step is needed.

Most regular people when it comes to SSL will usually don't have a good background into encryption, but they want to have something that works and help them implementing on the sites. Especially with SSL so cheap ($12.99 on GoDaddy), there should not be any reason not to implement it. It's like buying a new car, sometimes you don't really need to know how the engine works, but just know how to drive your new car by inserting the key and hitting the gas pedal.

My model of this post is after Feynman: explain it in a way to help peek the interests of the reader. Once the "why" is explained (maybe not as clear or concise as I'd want), the reader would have a clearer picture of the whole SSL business. And if he/she wants to find out more about the underlining encryption algorithm, there's always Wikipedia available for further reading.