What is Reddit's opinion of CAcert?

From 3.5 billion Reddit comments

A cursory glance indicates it's signed by CAcert, which isn't in most (any?) browsers' trust store which would be why you're seeing this error. It's probably fine and "intended", though I'm not familiar enough with the project to give a definitive statement either way.

You shouldn't worry too much - it is signed by CAcert.org - a free certificate authority that is popular among open source circles.

It's fairly well trusted and well established.

The site is using a CACert certificate which isn't included in all of the common browsers (though they are an arguably more trustworthy certificate authority than other CAs that are typically included. I'm looking at you Comodo and Verisign).

Not quite.

It uses the free CACert authority, which isn't in your cert store or that of the common browsers which use their own.

You have to add it manually if you decide to trust them;

See the FAQ at http://www.cacert.org/

Seems like the community is in favour of this.

I'm a bit concerned that their https certificate (issued by <u>CAcert</u>) won't work on most systems by default, but based on what I can see, there are no forms etc. where users can send sensitive data.

I'll merge your pr now.

Nop, tout est parfaitement valide, et le certificat est signé par CAcert. Si ton navigateur web n’a pas les certificats racines, tu peux les ajouter depuis ici: http://www.cacert.org/index.php?id=3

Le certificat racine (format PEM) suffit au navigateur. Suivant les logiciels, ça sera géré différemment mais ça revient au même (ajout au trousseau global de MacOS, interne à Firefox, etc).

(Les Vrais feront simplement un apt-get install ca-cacert 😉)

In this case, this certificate authority was removed because they "have strict requirements on redistribution... which we don't meet". I looked at the root certificate redistribution policy for CACert. I don't see the problem, but then again I don't distribute web browsers.

Félicitation, ton navigateur web (Firefox) n’inclus pas les certificats racine de CAcert. Pas grave, ça s’ajoute en 2 clics. Ou sinon, tu peux simplement utiliser ce splendide bouton « ajouter une exception ».

Bienvenu sur l’internet sécurisé; mais seulement pour ceux qui acceptent de subir le racket des autorités de certification, les autres utilisent simplement des solutions libres, qui ne sont pas directement installées partout par défaut.

Pas surprenant : le certificat TLS est signé par CAcert, une structure libre; ses certificats racines ne sont pas inclus dans tous les navigateurs web, ce qui explique le message d’avertissement.

Not surprising: the TLS certificate is signed by CAcert, a libre strucuture; its root certificates are not included in all the web browsers, which explains the alert message.

I agree, but there are a few reasons not assuming that SSL is present.

For one, using self-signed certs might cause problems with some owncloud clients, or browsers accessing shared files (browsers will certainly complain, which is not ideal when sharing files with non-technical users).

Another reason is the expense of an externally signed cert. OK, so there's CAcert. But their CA/root cert isn't recognised by many (any?) browsers and only a hand full of Linux distributions -- certainly no mainstream browsers or OSs anyway. So, practically speaking, CAcert is no more effectively than using a self-signed cert.

A third reason is the added complexity of setting up SSL. I'm not saying that this excuses the need for good security, but just that it's another barrier to using encryption.

The point is that, even if a user sets up their own instance of owncloud without encryption, leaking their passwords in plaintext on the internet is unnecessary and pretty poor given today's climate, especially when you consider that there are (albeit less secure than SSL) alternatives.

Edit: seriously, what kind of idiot is downvoting this discussion?!

ma di CAcert.org che ne pensi ? se non ho capito male i certificati te li creano gratis..

EDIT:

CAcert.org è un'Autorità di Certificazione operata da una comunità che rilascia gratuitamente certificati al pubblico. L'obiettivo di CAcert è quello di promuovere consapevolezza ed educazione sul tema della sicurezza informatica attraverso l'utilizzo della crittografia, in particolare fornendo certificati crittografici. Questi certificati possono essere utilizzati per firmare digitalmente e crittografare email, autenticare e autorizzare utenti che si connettono a siti web e proteggere la trasmissione dei dati attraverso internet. Ogni applicazione che supporta il protocollo "Secure Socket Layer" (SSL o TLS) può utilizzare certificati firmati da CAcert, così come può farlo ogni applicazione che utilizza certificati X.509, ad esempio per cifratura o per firmare codice e firme di documenti.

Certificate transparency, Chrome's telemetry, static public-key pins for some sites submitted to Chromium, HSTS, Let's Encrypt availability, the phase-out of SHA-1, and many sites shifting to HTTPS all happen without the intervention of anyone outside those projects, save for updating a browser.

Even TLSA/DANE is just another trust-chain option. I don't see it ever taking over 100% from CAs because there are a lot of different use cases, and also a number of the disadvantages of CAs are ameliorated now that Let's Encrypt is fully operational. A lot of the hate directed at X.509 was because of the inevitable monetary transaction involved, and that is not longer generally the case.

Incidentally, I've been following CACert for the better part of a decade and they never managed to accomplish even a small fraction of what Let's Encrypt has done. Kudos to the Let's Encrypt folks for finally getting this done, and getting it done a lot quicker than I imagined by getting a tiny existing CA to cross-sign.

The existing CA system is the worst choice, except for all the others we've tried, as I've said before. If you have a better alternative, let us know about it by all means.

I just lose patience when some people, not necessarily you, use misunderstandings about the existing system to argue for other things that have much worse security, and confuse people. For instance, those who misunderstand the system sometimes argue that self-signing is more secure than using a certificate signed by an established trusted root.

Le certificat racine (format PEM) suffit au navigateur. Suivant les logiciels, ça sera géré différemment mais ça revient au même (ajout au trousseau global de MacOS, interne à Firefox, etc).

How come the services that are linked in this thread are so cheap? Whenever I searched on Google for an ssl issuer they are 4 to 5 times more expensive. Does it have something to do with the geo-targeted search results in google or do some companies just "abuse" the fact that they have superior seo?

Edit: you should check out cacert , too. Free level1 certificates :)

If I have something that others will access, I just go with Comodo's Positive SSL from Namecheap with regular single subdomain certs. Everything else is just CAcert, which is pushed out to Windows clients with GPO.

Yeah I remember the Heartbleed drama… but if you don't have cash there won't be many options outside of them until Let’s Encrypt is ready. There's also CACert, but they're not considered a trusted CA out-of-the-box.

You can already get them for free, however its not public-trusted

They have to charge. Do you have any idea how expensive HSMs are? The infrastructure? The IT and security research that goes on behind the scenes? The collaboration between all the major browsers?

In the OpenPGP web of trust, some people sign key/user ID combinations without careful checks, mostly because they do not know better. This is not visible from the cryptographic signatures as such, so you need a way to tell whose certifying signatures are any good and whose aren't. It probably won't stop at that—you need some assurance that the certificate rating mechanism itself is working correctly, and so on.

I think Cacert has something in this direction, but it's obviously a difficult problem.

Fair enough. I really should change that.

For what it's worth, the cert is from cacert.org. I only direct to https by default because it was the quickest way to defeat the apparently buggy caching proxy I'm behind. Otherwise, I only ever see my new edits once every 24 hours.