mcr at sandelman.ca
Thu, 17 Mar 2011
Dreamhost SSL certificates --- insecure
Dreamhost sells third-level GeoTrust SSL security certificates for $15/year. (You have to be an existing customer).
It seems however, they do not give you the chance to upload a CSR file. Instead, you are expected to fill out the DN information online, and then they generate a private key for you. And they keep the private key around in their database.
It also winds up in your browser cache, and if you have kind of a "trusted" SSL proxy between you and the Internet (like half of corporate users have), then it's gonna be in the cache of that device too.
This is a FAIL. Not only is your private key subject to whatever insecurity their might have, but it's total FBI Patriot Act fodder.
(If there is some place to upload a CSR, we couldn't find it)
posted at: 13:13 | path: /security | permanent link to this entry
