CAcert and StartSSL both only validate domains whose TLD is owned by the requester. I have a few subdomains that come from places like freeDNS that I would like to run an SSL-secured server on. Are there any CAs that offer this service for free, and, if so, what are the possible security flaws created there? It seems to me that the owner of the TLD can't do anything if the subdomain just redirects to the server where the cert is stored, so it shouldn't be such an issue.
Asked
Active
Viewed 1,580 times
2 Answers
2
That's a tough one. Real domain "ownership" happens at the registrar level. Subdomains can be doled out by the domain registrant, but that level of of ownership is difficult to verify, and the terms and duration of your control over a given subdomain are not necessarily clear to the CA. As such, CAs that do simple domain control validation would categorically deny any such requests; it wouldn't fit the security rules they've set up.
Instead, such request would have to go through the domain owner, like FreeDNS. They're the only party that could realistically determine whether or not such a cert should be granted and for how long, and therefore they're the ones who the CA would want to talk to.
A better solution is to register your own TLD. Dynamic DNS can still be done with your own domain name, plus it simplifies your interaction with CAs and other similar organizations.
Alternately, you can always use a self-signed certificate. Self-signed certs are just as secure as CA-signed certs as long as you can verify that the site is serving your certificate. In fact, if you're doing custom certificate validation in your browser, it's actually more secure than a CA-signed cert because you're not subject to attacks involving malicious but properly-signed certificates.
tylerl
- 82,225
- 25
- 148
- 226
1
Beware that SSL also requires a fixed IP address for CA-issued certs. See SO Question. While you can use self-signed certs, browsers will throw up scary warning messages.
It is definitely a pain that SSL with a CA-issued cert requires you to have a TLD and a fixed IP address.
