Today I decided to take a few minutes and try to throw up some wildcard and SAN SSL certs to get SSL on all of my servers. This site and another site on the same server (but served by another IP address) both have free "class 1" certs from StartSSL.com. In order to get the more advanced certs, I need to up my validation level and get "class 2" service.

Of course, I can avoid the advanced certificates by assigning each of the domains and subdomains to their own IP address and getting a slew of free certificates.  The two problems with using more IP addresses is that I don't have them, and that's a lot of certificate busy work. Well, I do have the IP addresses, because I have a few IPv6 /64 networks, which conceptually give me like 18,446,744,073,709,551,615 available IP addresses each, but not everyone (more like "not many") uses IPv6 yet. On my IPv4 interfaces, I've got a total of 5 IP addresses assigned to me, only 3 of which are available to the web server (the others used for other networking purposes), and 2 of those 3 already have certificates and single domains behind them.

Apache says it can be done. My server seems to be compiled correctly. Now I just need a certificate that will work with this, and a little more time to play with the configuration. I had a little time today, but now that's gone.

I'm not doing anything that I think will make anyone more comfortable with a "higher level" validation on my certificate. I was just thinking of adding more SSL to more sites (especially the ones that ask for passwords, or accept forms, or other simple things...nothing major or NSA worthy by any means) using the easiest tool available. Plus I want to keep the tools sharp, and this seems like a simple tool to sharpen.

Before I start, I want to point out that this isn't meant as a criticism of StartSSL, really. Maybe a little bit about their processes or ideas, but I'll concede that they've got different concepts and experiences than I do. I've done loads of security work, and understand all kinds of things about validation and the use of third-parties to try to confirm someone is who they say they are. I like the ease and swiftness of the free StartSSL products; I recommend them a lot and will continue to do so (unless this turns out horribly). I'm just having a difficult time with their "class 2" validation process, and I thought I'd tap it out as a reminder to myself and tale for anyone else attempting to do the same.

This "class 2" validation process involves using their web app (it needs improvement, but it works) to upload some photos or scans of identifying information, like a passport and driver's license. It took me two tries, because I accidentally hit the "back" button on my mouse and was directed to an uncached page, and I may have uploaded the same image twice and skipped another, because their web app doesn't let you see them after you upload them (I can fix that for you, guys...).

Minutes after submitting, I got an e-mail saying they tried and failed to reach me by calling a telephone number I used to have, but haven't had in more than 10 years! I don't know where they got that number, and I'm not even sure where in the Internet I would have used that phone number, even 10 years ago. I've long used a number for most things that isn't going to cause my cell phone to ring, like the voice-mail-only number on my domain registrations: (440) 394-7732. I do this because putting your real phone number on the Internet is just begging for phone calls from people you don't know and organizations you don't want to talk to; it's only a little weird because the area code puts it around Cleveland (where I do not live), but since most phones have free long-distance these days, I don't let it bother me.

I tried correcting them with my current phone number, and pointed out that my actual phone number was used when I originally registered with their site, but that didn't seem accurate enough. They wanted to have some additional validation, like a copy of a phone bill, which I haven't got since going paperless forever ago. I don't get many (if any) bills in the mail any more, and wouldn't want to share them just for SSL validation.

I was curious: why not just call the corrected number and be done with it? I mean, I'm not sure how calling me is any more validating than photos of my identification. I suppose it could be the case that I could be submitting someone else's ID (I'm not...that was me), but somehow the phone call makes that more valid? Like a person couldn't align the stars enough to get a hold of a phone call associated with an address for which they have identification that isn't theirs? That hardly seems ludicrous. It just isn't something they could do; evidently they couldn't take my word for it that was the same number that would get them to the person in the identification images uploaded to their server.

I also found a couple of websites that they could also find that have my name and phone number, and sometimes address, too. Websites that I don't have any control over or to which I provided any input, but that still had my name and number and address. But this was not good enough either.

I offered to snap a shot of me holding my documentation and send it via an MMS message from my phone (which granted could be spoofed, but would anyone bother for this purpose?), but they don't work that way, either. Fair enough: other than my phone I don't have anywhere to accept MMS messages.

After an exchange of a half-dozen or so messages each way they decided they're going to snail-mail me something that I can use to validate my address. Not sure how that makes a difference, either, but whatever. I mean, they'll have validated the address, but not me; and since they've got government issued information, they arguably have a validated address. It's good enough for the police and entrance to other countries, so why not good enough for an SSL validation? Further, in my scenario where a person could be using fake identification, they've still not validated that the person receiving the e-mail is the person in the identification; they will have just validated the address.

Sadly, it seems the package will be coming from their offices in Israel, and not their NY or LA offices. The latter choices seem much faster and probably less expensive.

Oh, and while writing this, I received another e-mail notifying me that they've charged me for the validation. This strikes me as another way to confirm I'm already me. They've got my IDs, my credit card information, a valid transaction, an e-mail conversation with external references, and an offer to answer a telephone and do what they tried to do with a different (and externally confirmed) number...sheesh! I responded to that asking if the validation was done anyway, but I guess that's what they're going to use to pay for the mail.

A little poking around the Googlesphere shows that I'm both not alone, and that this might not be the end of my journey.

• http://danconnor.com/post/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_
• http://www.muchtall.com/2013/05/22/pitfall-free-howto-guide-to-startcom-startssl-class-2-organization-validation-certification/
• http://blog.famzah.net/2010/11/29/startssl-customer-care/

I'll add to this in a few weeks when I get my validation mail, or if anything else interesting happens.