Anne van Kesteren

TLS: next steps

In TLS: first steps I outlined the need for everyone to start using TLS. And how this can be free for non-commercial use. I got validated through StartSSL within a week and although I have my issues with them, issuing certificates worked fine and slightly more domains use TLS now than did last week. Yay!

The way this works is that I have a private key from which I generate a certificate request that I hand over to the CA (certificate authority). The CA then issues me a certificate if everything is in order. I then install the private key and the certificate on my server and enable TLS hosting. I did not want to pay for a unique IP address so I am using the SNI TLS extension. This will cause limited breakage in some older clients that will fade out over time. (I also had to install an intermediate certificate. This is sometimes required and indicated by the CA.)

I encourage everyone reading this to enable TLS, deploy HSTS, and start pondering about how we can improve this system. E.g. since a domain registrar already has to validate a potential domain owner to some extent, perhaps they can issue a certificate with it for free? That leaves the private key, but some certificate authorities already offer to generate those. And although that is not ideal, it would be better than not having TLS at all.