Michael's musings


This is a blog of
mcr at sandelman.ca

Thu, 17 Mar 2011

Dreamhost SSL certificates --- insecure

Dreamhost sells third-level GeoTrust SSL security certificates for $15/year. (You have to be an existing customer).

It seems however, they do not give you the chance to upload a CSR file. Instead, you are expected to fill out the DN information online, and then they generate a private key for you. And they keep the private key around in their database.

It also winds up in your browser cache, and if you have kind of a "trusted" SSL proxy between you and the Internet (like half of corporate users have), then it's gonna be in the cache of that device too.

This is a FAIL. Not only is your private key subject to whatever insecurity their might have, but it's total FBI Patriot Act fodder.

(If there is some place to upload a CSR, we couldn't find it)

posted at: 14:14 | path: /security | permanent link to this entry


XML