No more self-signed server certificates
Sun, 15 Dec 2013 04:12:28 -0000
I took one step further to improve my web server's behaviour by getting rid of my self-signed SSL - certificate.
It is always recommended to use encryption whereever possible, this has been shown very impressively by the NSA leaks published by Edward Snowden. For my site, it is all the more necessary, as I am a total newby in writing webapps and currently sending any kind of login information in plaintext. Hence, my server only supports HTTP to provide the RSS feed, and otherwise require HTTPS access. Using HTTPS means that all data sent from the client to the server and vice versa is encrypted. Moreover, in order to prevent nasty things like man-in-the-middle attacks, the server will authenticate by presenting a SSL certificate. This certificate should be signed by some authority that grants that the certificate really belongs to that server. Browsers come with a bundle of certificates that they trust. A certificate is considered trustworthy if it has been signed by one of those trusted certificates. While it is doubtable whether this idea really performs well in reality, browsers usually try to enforce "proper" authentication of a server contacted via HTTPS. But, organising a properly signed certificate for a server is not that easy and, moreover, quite expensive. Therefore, I originally did not let my server certificate be signed by one of those root authorities but signed it by myself. This meant, that every browser that accessed my page for the first time would not show my page but just show some security warning. In order to prevent this annoyance every visitor had to import my self-signed certificate into his browser. But especially technically less skilled people would not be able to do something like that and just give up trying yo access my page. This weekend, I was told about CAcert.org. CAcert is a community that issues server certificates for free. The drawback is, that their own certificate had not been delivered together with my browser, Mozilla Firefox, so I had to import my certificate still. The bright side is, that perhaps in the future, they will include the CAcert certificate within the browser software by default. Let us wait and see...

However, the MD5 fingerprint of this server's SSL certificate is

04:3D:AE:58:B3:91:11:77:41:1C:30:08:4C:36:EC:85
, the SHA1 fingerprint is
EA:9C:E1:20:33:E2:05:03:14:B5:35:D6:94:CC:FF:77:97:C3:6A:23
.