New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
And that's exactly why the OP was 'banned by globalsign'. I really think this was CH's doing.
Heh. there's another online reference:
http://centriohost-llc.lowell.in.amfibi.com/us/c/7988867-centriohost-llc
CENTRIOHOST LLC 754 Carriage Drive Lowell IN 46356-2491 Phone: (880) 2-8399009 Category: Internet Host Services Website: http://www.centriohost.com Kamrul H. Bappy, CEO Phone: (880) 167-0097390
That's different from the Bangladesh address on their website. And - there is/was(?) another hosting company registered to the same US address:
http://wiki.lowendbox.com/doku.php?id=fraghost.net
http://companies.findthecompany.com/l/19161811/Hostknet-Llc-in-Lowell-IN
http://fraghost.net/about.php
HostKNET LLC 754 carriage dr. lowell, Indiana 46356 United States
Another good reason why in the EU you have minimum publication duties as registered address and company number/register. So any possible client might be able to do some background checks.
I pay $99 for a RapidSSL wildcard for one year. Don't think it's that expensive, but it's not cheap either.
It's a temporary ban, but it is his last chance.
I think you are too forgiving.
Could be. However, I believe in second chances. So this is basically his final warning and if he crosses the line again, he's out for good.
So why doesn't anyone make competition to globalsign with cheaper prices?
@duckeeyuck, there is competition. http://www.startssl.com/ for example. It's not as easy as it sounds because you want to make sure that your root CA is supported and listed as trustworthy by as many browsers and platforms as possible.
It seems like the SSL market is a cartel with price floors and other forms of collusion.
The cost of a Wildcard Domain Validation SSL in no way represents the true cost of production.
Well, regardless of failure, trying is surely a lot better than not doing anything.
This is true, but let's not forget that the market fuels jobs which puts food on tables. In no way do I think it's worth shaving a few jobs off at the major resellers for the rest of us to get wildcard SSL's for nearly free. They're anything but a necessary product. They're just nice to have is all.
Uh? I may not have been clear about this. SSL certificates are all about trust. If the certificate issuer cannot convince everyone that he is trustworthy, then his CA cert(s) won't be included in the client products, which means any certificate he issues won't be shown as trustworthy either (they would appear just like self-signed certs). Take a look at the CA certs that are included with Mozilla products:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
Not that many. Any not even all of those included issue certificates to the public.
So, if you want to compete against Globalsign and others, not only would you have to prove that you are trustworthy, you would also have to make sure that your CA certificates are included in all common client products out there (it's a very long procedure and there is no guarantee), but also do you have to show that your business is sound and reliable. Nothing worse than a CA who gets hacked, stolen, or who willingly issues false certificates.
As strange it may sound, it's kinda in the nature of SSL certificates that they are so few who can issue them and who are deemed trustworthy. Imagine if the barrier of entry was lower... we'd see a lot of frauds issuing fraudulent certificates and worst of all, they'd appear as trustworthy to us (to our browser).
Wildcard certificates can even be a security risk. If you use a single certificate for all your services running on *.yourdomain.com, then the compromise of a single key could lead to the compromise to your entire SSL infrastructure. For example, if someone escalated your mail server, such as postfix, and if you used the SSL wildcard cert for that mailserver, then the attacker has now access to the wildcard key, and he could use that information to prepare a MITM attack on your remaining services that are encrypted using the sake wildcard certificate.
If someone compromised your mail server they could just buy their own wildcard SSL certificate for your domain name and spoof your server (equivalent to taking the private key if you're using forward secrecy).
First, I was only giving an example. It could be ANY service that uses the wildcard certificate that is being attacked, and the successful escalation of one would lead to the leak of the key and would then become a threat to all remaining services. Second, you are assuming that the mail server is also in charge of the underlying domain/the certificate. That's not necessary true, in particular if you are doing virtual domain hosting.
Why would you have a wildcard SSL certificate for a domain that's not being hosted on the mail server?
Still it's more likely that an attacker would just find a way to get the wildcard certificate from a certificate authority, there are numerous cases of this happening when CA fails to verify attacker's ownership of the domain.
Anyway if they do compromise your service there's other, bigger problems to worry about than your SSL. Once you fix the other problems (like, all your customer's personal data being leaked maybe) you can just revoke your certificate and get a new one.
I agree you should use different certificates but I don't believe it's a big deal; we shouldn't rely on our trust of certificate authorities, because no one actually trusts them.
Because the domain of the mail server domain does not need to be identical to the domains the mail server handles emails for. A mail server, let's say smtp.myispserver.com, could manage many different domains through virtual domain hosting. These domains could be the domains of the customers from myispserver, for example. The administrator of smtp.myispserver.com, however, doesn't need to use this server to receive emails for @myispserver.com. Those emails may only be of administrative kind, such as abuse@, etc and are not used by any customers.
That kind of separation is, in fact, a very good practice, because it avoids a single point of failure. So in the MX record of myispserver.com, another MTA is noted, perhaps aspmx.l.google.com (again, not that unusual). An attacker escalating the mail server won't be able to request new certificates for *.myispserver.com, because he won't be able to domain-validate them (mails to @myispserver.com would be sent to Google's mail server in this example).
The point is that by using wildcard certificates, you reduce the security that you would like to convey through these certificates to the weakest of your services. "Once you fix the other problems" - implies that you've realized you were hacked and had sufficient time to act before the attack could go further. It's an assumption that's not necessarily true.
Now, certain certificate providers, such as Digicert, allow - to address this exact security issue - to issue unique copies of your wildcard certificate for all your servers/services, each of which is assigned its own private key. Alas, Digicert Wildcart certs are not quite in the same price range as AlphaSSL Wildcart certs...
Article:
http://www.eweek.com/c/a/Security/The-Risks-In-Wildcard-Certificates/
boring
@mpkossen im not a company and for me its still a hobby. I host a couple of local companys who i personally know. I just want to make sure they can use a "verified" ssl connection. So yes for me 99$ for a year of ssl is a bit steep..
Ofcourse if its a company then they can afford the more expensive version. But im not and till that time (if any ) i'm very happy with the deal i got 9$ for 5years of wildcard cert
And this is exactly why the CA model is an awful model that offers nothing but security theatre.
Uh? I may not have been clear about this. trying is surely a lot better than not doing anything.
I just send them some questions regarding my certificates. I guess the answer makes it somehow official what we expected ... We won't get any renewals.
My ticket to Centrio Host:
Answer from Centrio Host:
My second ticket to Centrio Host:
Answer from Centrio Host:
I have just checked my account and can confirm that account is empty, no invoices, no ssl. @CentrioHost I haven't seen so much stupidity in my life.
Yep, my account's empty as well.
Best way to refuse renewal is to deny the certificates ever existed?
Number of Products/Services: 0 (0)
Me too )
Confirmed too. Now I don't have any Product/Services with them, it's just disappeared.
It's just like, I never had any transaction with them.
Despite having delivered the majority of orders without issue, I believe the word "scam" still applies to them quite accurately.
http://goodhosting.co/ offers free wildcard SSL certificates with any service (the exact same SSL certificates; from AlphaSSL/GeoTrust/SingleHOP.)
I didn't previous have any beef with CentrioHost, and they did previously say they would be renewable. But they did removed mine as well, not a huge fan of that.