[tor-talk] "Confidant Mail"

Aymeric Vitte vitteaymeric at gmail.com
Wed Feb 4 13:47:17 UTC 2015


Just for the story about startssl, unlike Confidant Mail which should 
use https, I think, despite of the fact that they don't trust it, like 
all of us, it's still better than nothing, I have explained several time 
here why we could not use https to retrieve the Peersm code.

There was an artifice where the js code was retrieved using https inside 
a http page with an additional key mechanism, which of course is of a 
little use but still better than nothing again.

Now when it came the time to renew this startssl certificate some months 
ago, unfortunately the Peersm site was tagged as infected by Google 
safebrowsing during some days, then startssl did not want to renew the 
certificate.

I contacted Google safebrowsing's team since it's impossible that the 
Peersm site got infected by anything else than the Peersm app code 
itself (or Google itself via yt) where I think I know why safebrowsing's 
AVs could have possibly detected wrongly a problem, so I asked them to 
rescan the site to identify the issue or to confirm to startssl that 
there were no problems.

It did not work up to now, then I gave up with the SSL certificate, it 
just failed because safebrowsing was wrong and because startssl's 
procedures are based on this, they told me that they were obliged to do 
so, but at the end that's another kind of censorship because a tool 
(safebrowsing) can be wrong, I hope letsencrypt will not reproduce this.


Le 04/02/2015 13:27, CJ a écrit :
>
> On 04/02/15 13:19, Paul Syverson wrote:
>> On Wed, Feb 04, 2015 at 06:58:28AM +0100, CJ wrote:
>>>
>>> On 02/04/2015 06:19 AM, Seth wrote:
>>>> On Tue, 03 Feb 2015 20:01:36 -0800, Andrew Roffey <andrew at roffey.org>
>>>> wrote:
>>>>>   - there is a cost of obtaining HTTPS signatures.
>>>> Not certain if the deal is still being offered, but for quite a while
>>>> you could get a free TLS/SSL certificate good for one year when
>>>> registering or transferring a domain to namecheap.com
>>>>
>>>> Then if you needed to renew it, or just buy more, you could pick them up
>>>> for $2/yr just by purchasing another qualifying product, such a year of
>>>> whoisguard for $2.88.
>>>>
>>>> Point being, the cost of certificates can be negligible if you know
>>>> where to look.
>>>
>>> not to mention StartSSL and their free certificates… Well, ok, maybe not
>>> the cleanest and trustworthy thing, but you can still provide the CSR,
>>> meaning you own the key. And they support 4096b with sha2…
>>>
>> See also https://letsencrypt.org/
>> Let's Encrypt plans to offer free and automatic to set up certificates
>> from a recognized authority starting in mid-2015. (Not quite ready
>> yet.) It is backed by EFF, Mozilla, Akamai, Cisco, and Identrust.
>>
>> -Paul
> right — can't wait for this one. In the meanwhile I stick with startssl…

-- 
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms



More information about the tor-talk mailing list