Switch the SSL cert used by clueless to one signed by startssl (or other)

As per http://ideas.aaisp.net.uk/?ia=17940 which suggests a paid-for SSL certificate, certificates from http://www.startssl.com/ are far more widely accepted than those signed by cacert.com (see http://en.wikipedia.org/wiki/Startssl#Trustedness for more detail) and are equally free of financial cost.

While adding a per-cert exception for the current certificate is easy in most browsers, that doesn't help people behind proxies that may completely block responses covered by certificates signed by CAs not on their list and a certificate from a source trusted by the OS/browser is technically more secure.

Author: Dave, 15.11.2011, 15:16
Idea status: completed


Simon Arlott, 16.11.2011, 06:44
Instead of doing this (because the vast number of CAs are becoming a security problem), implement support for DNSSEC so that you're ready for TLSA as soon as it becomes available.
aaisp, 11.01.2013, 15:47
Clueless (the control/ordering system) now has a non-cacert certificate.

We have an on going project which is looking at how we support dnssec - our customer facing resolvers do DNSSEC validation already.

Leave a comment

Copyright - 2020 Informer Technologies, Inc. All Rights Reserved. Feedback system is used Idea.Informer.com