Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WoSign vs StartSSL vs Cloudflare; who and why?
New on LowEndTalk? Please Register and read our Community Rules.

WoSign vs StartSSL vs Cloudflare; who and why?

As the title, could be an interesting discussion.

I personally use none of the above and have Comodo certs.

«1

Comments

  • NyrNyr Member
    edited August 2015

    WoSign, because they provide 3 years and multi-domain certs. Also, the process is easier than StartSSL and I don't want to deal with them anyway.

    Not CloudFlare because I want to host in my own network, not theirs.

    Thanked by 1rm_
  • Wosign - 3 years valid, 100 (sub)domains, no ID or similar required. Cert revocation servers are in China though.

    StartSSL certs are IIRC only one year and you have to send a lot of ID stuff to their corp in Israel (eh, no thx). Wosign is Start SSL root anyway.

    Thanked by 2rm_ skynet
  • joepie91joepie91 Member, Patron Provider

    Cloudflare is MITM-by-design, and isn't a CA, just an SSL/TLS proxy provider (from this POV). Unfortunately, that is not visible to an end user, who just sees a 'green padlock', and can't know that an additional party has the ability to intercept traffic. I'm not a fan of it for that reason.

    WoSign seems a lot more upfront and honest than StartSSL, but unfortunately they don't support all domains, and I have my doubts about the security of their systems. It wouldn't take my pdf.yt domain, claiming it was 'invalid', and when I tried to contact support, I encountered this:

    ... and you really shouldn't be running your applications in debug mode like that...

    Either way, the one I'm excited for is Let's Encrypt.

  • ZweiTigerZweiTiger Member, Host Rep

    cloudflare. because my MAC not support wosign. Because startssl system is a shit. I tried all of them. I am with cloudflare

  • ZweiTiger said: because my MAC not support wosign.

    huh? Works fine for me in FF and Safari.

  • joepie91 said: encountered this:

    heh, even contains the SMTP password...

  • Startssl works best for me.

  • WoSign because as their more straightforward and who can say no to 3 years multidomain ssl cert.

  • CloudFlare SSL is useless if there isn't a secure connection between CF and your server. WoSign is fine, though their servers are in China. StartSSL is just a pain in the butt.

    If anything, I'd rather take a paid SSL which is not a PositiveSSL, but in terms of free certificates, I'd go for WoSign and in Q4, Let's Encrypt.

  • NyrNyr Member

    FlamesRunner said: WoSign is fine, though their servers are in China.

    Why does this matter? Except if you mean the CRL ones, which still doesn't really matter much.

  • First time I'm hearing about WoSign, cheers :) Need something simple for a few personal services (webmail, etc) that I also grant friends access to.

  • FlamesRunner said: CloudFlare SSL is useless if there isn't a secure connection between CF and your server.

    I'm hoping an HTTPS to CF makes CF connect to your server through HTTPS (and possibly require it to use the same certificate you escrowed with them). Forwarding HTTPS over an unsecured connection is just so dumb that I can't believe any serious host would do that.

  • @William said:
    heh, even contains the SMTP password...

    tell us here so we can expose how easy it would be to get the root CA key

  • joepie91joepie91 Member, Patron Provider

    singsing said: I'm hoping an HTTPS to CF makes CF connect to your server through HTTPS (and possibly require it to use the same certificate you escrowed with them). Forwarding HTTPS over an unsecured connection is just so dumb that I can't believe any serious host would do that.

    Cloudflare does not enforce HTTPS between CF and your server, and as an end user there's no way to check it. And even if there was, CF could still MITM your connection. It's broken no matter how you look at it.

  • @FlamesRunner said:
    CloudFlare SSL is useless if there isn't a secure connection between CF and your server. WoSign is fine, though their servers are in China. StartSSL is just a pain in the butt.

    If anything, I'd rather take a paid SSL which is not a PositiveSSL, but in terms of free certificates, I'd go for WoSign and in Q4, Let's Encrypt.

    What's wrong with PositiveSSL?

  • William said: StartSSL certs are IIRC only one year and you have to send a lot of ID stuff to their corp in Israel (eh, no thx).

    What? I didn't have to send in anything. However, I was flagged for a manual review, but they just asked if my address was a personal or corporate address.

  • jackwzjackwz Member
    edited August 2015

    @joepie91 said:
    Cloudflare does not enforce HTTPS between CF and your server, and as an end user there's no way to check it. And even if there was, CF could still MITM your connection. It's broken no matter how you look at it.

    There is a way to enforce it in the CF options, you can also choose whether the certificate on your server has to be valid. But yes they are still in the middle

  • jackwzjackwz Member
    edited August 2015

    dupli

  • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Host Rep
    edited August 2015

    If Free, I would use WoSign & If I need CF, then I would enable SSL on that too (but earlier I would Install WoSign & Make CF -> Server Connection Secure)

    If Paid, I would definitely go with AlphaSSL WildCard :-)

  • You should have added poll for this.

  • I've used StartSSL for just over 2 and a half years now and haven't had an issue, upgraded to class 2 verification 2 years ago and haven't had an issue with that either.

  • Wosign: easy, 3 years, multidomain, OCSP stapling *sometimes working

    StartSSL: complicated

    Cloudflare free: you need to use their network, SNI SSL booo

  • Mahfuz_SS_EHLMahfuz_SS_EHL Member, Host Rep

    @rokok said:
    Wosign: easy, 3 years, multidomain, OCSP stapling *sometimes working

    StartSSL: complicated

    Cloudflare free: you need to use their network, SNI SSL booo

    Don't know why but on My Config, OCSP Stapling works always !

  • Its not always working - Refers to Standard procedure how OCSP Stapling configured

  • joepie91joepie91 Member, Patron Provider
    edited August 2015

    @jackwz said:
    There is a way to enforce it in the CF options, you can also choose whether the certificate on your server has to be valid. But yes they are still in the middle

    The point is that Cloudflare itself doesn't enforce it. Whether you can configure it as an administrator is irrelevant - the end user is none the wiser as to whether their traffic is going to be sent over TLS or not, regardless of any padlock in the browser. The goal of enforcing it would be assurance for the end user, not for the site administrator.

  • Just started using WoSign, quite happy so far, I like the 3 year validity. I had to setup manual OCSP stapling though.
    Previously I used StartSSL which is nice too. But they don't allow for commercial use.

    CloudFlare's SSL service I don't like. It's based in the US. They intercept all traffic. And they make it impossible for end users to know how insecure the connection really is. If anything, CloudFlare's SSL makes the Internet less secure.

    I am not excited about Let's Encrypt. I was hoping for a robust CA, but instead they are building some toys / scripts and making it hard for educated users to get SSL. They should teach web devs why security matters, not cater to their ignorance.

  • rm_rm_ Member

    elwebmaster said: I had to setup manual OCSP stapling though.

    You didn't have to. For example Lighttpd doesn't support OCSP at all, and I still happily use WoSign with it without any slowdowns whatsoever.

  • @rm_ said:
    You didn't have to. For example Lighttpd doesn't support OCSP at all, and I still happily use WoSign with it without any slowdowns whatsoever.

    OCSP is not really about performance. If anything, the extra verification load is on WoSign's server. Mainly it is about privacy. Your users trust you with their data (i.e. IP), not some other third party. You should make an effort not to leak the IP they connected from, and the time. Without OCSP every user's IP and time of connection is visible to WoSign and everybody else intercepting the connection. You may think "so what", but it's not your data you are protecting, it's your users'. To them it may matter.

  • rm_rm_ Member
    edited August 2015

    elwebmaster said: Without OCSP every user's IP and time of connection is visible to WoSign

    Browsers certainly don't check OCSP on every connection, and some (most?) don't check at all.

    elwebmaster said: it's not your data you are protecting, it's your users'

    Also I don't buy the "China" boogeyman, if that's what you're getting at; if anything, I'd be more concerned about protecting from the NSA, than from "the Chinese".

  • @hostnoob said:
    What's wrong with PositiveSSL?

    The issue I have with them is that many malicious websites use this certificate to make their users feel 'secure'. For example, while testing a rogue anti-virus, their payment page is using PositiveSSL. Yes, you can do this with any certificate authority, but I find PositiveSSL to be the most common.

    Either way, I just don't like PositiveSSL certificates.

Sign In or Register to comment.