Today I decided to take a few minutes and try to throw up some wildcard and SAN SSL certs to get SSL on all of my servers. This site and another site on the same server (but served by another IP address) both have free "class 1" certs from StartSSL.com. In order to get the more advanced certs, I need to up my validation level and get "class 2" service.
Of course, I can avoid the advanced certificates by assigning each of the domains and subdomains to their own IP address and getting a slew of free certificates. The two problems with using more IP addresses is that I don't have them, and that's a lot of certificate busy work. Well, I do have the IP addresses, because I have a few IPv6 /64 networks, which conceptually give me like 18,446,744,073,709,551,615 available IP addresses each, but not everyone (more like "not many") uses IPv6 yet. On my IPv4 interfaces, I've got a total of 5 IP addresses assigned to me, only 3 of which are available to the web server (the others used for other networking purposes), and 2 of those 3 already have certificates and single domains behind them.
Apache says it can be done. My server seems to be compiled correctly. Now I just need a certificate that will work with this, and a little more time to play with the configuration. I had a little time today, but now that's gone.
I'm not doing anything that I think will make anyone more comfortable with a "higher level" validation on my certificate. I was just thinking of adding more SSL to more sites (especially the ones that ask for passwords, or accept forms, or other simple things...nothing major or NSA worthy by any means) using the easiest tool available. Plus I want to keep the tools sharp, and this seems like a simple tool to sharpen.
Before I start, I want to point out that this isn't meant as a criticism of StartSSL, really. Maybe a little bit about their processes or ideas, but I'll concede that they've got different concepts and experiences than I do. I've done loads of security work, and understand all kinds of things about validation and the use of third-parties to try to confirm someone is who they say they are. I like the ease and swiftness of the free StartSSL products; I recommend them a lot and will continue to do so (unless this turns out horribly). I'm just having a difficult time with their "class 2" validation process, and I thought I'd tap it out as a reminder to myself and tale for anyone else attempting to do the same.
This "class 2" validation process involves using their web app (it needs improvement, but it works) to upload some photos or scans of identifying information, like a passport and driver's license. It took me two tries, because I accidentally hit the "back" button on my mouse and was directed to an uncached page, and I may have uploaded the same image twice and skipped another, because their web app doesn't let you see them after you upload them (I can fix that for you, guys...).
Minutes after submitting, I got an e-mail saying they tried and failed to reach me by calling a telephone number I used to have, but haven't had in more than 10 years! I don't know where they got that number, and I'm not even sure where in the Internet I would have used that phone number, even 10 years ago. I've long used a number for most things that isn't going to cause my cell phone to ring, like the voice-mail-only number on my domain registrations: (440) 394-7732. I do this because putting your real phone number on the Internet is just begging for phone calls from people you don't know and organizations you don't want to talk to; it's only a little weird because the area code puts it around Cleveland (where I do not live), but since most phones have free long-distance these days, I don't let it bother me.
I tried correcting them with my current phone number, and pointed out that my actual phone number was used when I originally registered with their site, but that didn't seem accurate enough. They wanted to have some additional validation, like a copy of a phone bill, which I haven't got since going paperless forever ago. I don't get many (if any) bills in the mail any more, and wouldn't want to share them just for SSL validation.
I was curious: why not just call the corrected number and be done with it? I mean, I'm not sure how calling me is any more validating than photos of my identification. I suppose it could be the case that I could be submitting someone else's ID (I'm not...that was me), but somehow the phone call makes that more valid? Like a person couldn't align the stars enough to get a hold of a phone call associated with an address for which they have identification that isn't theirs? That hardly seems ludicrous. It just isn't something they could do; evidently they couldn't take my word for it that was the same number that would get them to the person in the identification images uploaded to their server.
I also found a couple of websites that they could also find that have my name and phone number, and sometimes address, too. Websites that I don't have any control over or to which I provided any input, but that still had my name and number and address. But this was not good enough either.
I offered to snap a shot of me holding my documentation and send it via an MMS message from my phone (which granted could be spoofed, but would anyone bother for this purpose?), but they don't work that way, either. Fair enough: other than my phone I don't have anywhere to accept MMS messages.
After an exchange of a half-dozen or so messages each way they decided they're going to snail-mail me something that I can use to validate my address. Not sure how that makes a difference, either, but whatever. I mean, they'll have validated the address, but not me; and since they've got government issued information, they arguably have a validated address. It's good enough for the police and entrance to other countries, so why not good enough for an SSL validation? Further, in my scenario where a person could be using fake identification, they've still not validated that the person receiving the e-mail is the person in the identification; they will have just validated the address.
Sadly, it seems the package will be coming from their offices in Israel, and not their NY or LA offices. The latter choices seem much faster and probably less expensive.
Oh, and while writing this, I received another e-mail notifying me that they've charged me for the validation. This strikes me as another way to confirm I'm already me. They've got my IDs, my credit card information, a valid transaction, an e-mail conversation with external references, and an offer to answer a telephone and do what they tried to do with a different (and externally confirmed) number...sheesh! I responded to that asking if the validation was done anyway, but I guess that's what they're going to use to pay for the mail.
A little poking around the Googlesphere shows that I'm both not alone, and that this might not be the end of my journey.
I'll add to this in a few weeks when I get my validation mail, or if anything else interesting happens.
Comment from: Eddy Nigg Visitor
This is Eddy from StartCom. Just wanted to let you know that called just any number you’d provide wouldn’t help much without confirming in first place that this is your number. Otherwise we could call 911 and be done with it…
Basically there must be a confirmation step to tie you to the data you submitted and who you claim to be. Otherwise you could just validate yourself as Bill Gates too.
Nevertheless I hope that the registered mail arrives as fast as possible. Cheers!
Comment from: Member
Still happy with the service and product. Waiting patiently for the mail (received e-mail confirming shipment this morning).
Not to bicker, but the small issues I take with not accepting “any random number” come from a few places.
First was the randomness of finding a number not used for many years, but not finding the one that I’ve had for a longer period of time. Or maybe it was found, but since it wasn’t found first or because the other was unsuccessful, this other path was taken.
Also, the current and accurate number is the one I used when registering with StartSSL, which also has the same address. It can be found when searching for my name and the number on engines like Google or Bing or others.
Finally, whether some other source has a relationship between my address and the phone number is folly; it shouldn’t be that connection you try to verify. I use a different address for my domain registrations, and yet a different phone number, but it’s still me. That confirmation was made by having me affect the website (adding the SSL cert in your case, creating an HTML file with a name and value inside in others).
Really what you want to do is somehow confirm that the individual “on the phone” (or in my case “receiving the package") is the one making the request for validation. I’d consider changing the process to requiring the voice on the phone amend the request somehow, perhaps by typing some key given by voice into the website. You don’t necessarily confirm that the phone and address are related, but you’ve now got photo(copy) information suggesting a valid address (acceptable based on the kinds of information provided), and a valid phone number associated with the request.
I’d suggest that the address on the StartSSL account should match the submitted documentation (mine does), and that the voice on the phone is reachable by the provided number (mine would have), and that interacting with your site while authenticated to that account should give you the triad of validation you seem to be seeking.