Message: previous - next
Month: February 2017

Trinity SSL Certificates

From: "Timothy Pearson" <kb9vqf@...>
Date: Thu, 16 Feb 2017 13:45:44 -0600
Hash: SHA224

As some of you may already be aware, StartCom (a major provider of SSL
certificates) has repeatedly and intentionally violated the basic rules to
be listed as a root CA in most browsers [1] [2].  Unfortunately, TDE used
StartCom as its root CA provider in an attempt to lower overall costs; as
a result, the main TDE pages, QuickBuild, and other related services will
no longer be accessible to the majority of Web clients.

We do not have the funds to replace the certificate with a costlier option
at this time.  LetsEncrypt does not appear to be secure enough as it
effectively requires automated certificate installation on the master
servers, and furthermore I expect it to be removed from as a fully trusted
root CA or at least demoted in some way in the future [3].

Due to the industry-standard security in use, we cannot simply disable
HTTPS without disabling access to all TDE sites previously using HTTPS. 
Furthermore, disabling HTTPS would open TDE users adn visitors to
malicious MITM attack, and I am not willing to do this.

Our only options come down to either accepting the heavy loss in visitors
/ traffic that will come from using a self-signed certificate, or
attempting to raise the funds required to purchase a new certificate.  It
should only cost around $200 to obtain a new multi-year certificate
covering TDE, so if you can please contribute something toward this goal
via our donations page [4].

Again, I apologize for the inconvenience; it is not common for a CA to be
delisted and the impact from this has been felt across many sites. 
Unfortunately, it will only continue to worsen as Chrome (with its 75%
market share) is updated by end users over the next few days / weeks.

Thank you!




Version: GnuPG v1.4.11 (GNU/Linux)