Please stop advocating wildcard certificates.
Ever since I started “doing the computer stuff” I’ve been a bit wary of SSL/TLS.
It’s very easy to get wrong and revocation is not a solved problem no matter which security vendor is trying to push for sales.
There is, however, a strong urge to do things as easily as possible. For most people using SSL/TLS this becomes:
opensslcommands from a 5 year old blog to generate a CSR.
- Paste your CSR onto some web form.
- Copy/Paste ciphers/config from some other website.
- Ensure usage of wildcard certs. so you never have to do this pain again.
Some of these steps are worse than others, there’s almost no risk of using old openssl commands (except smaller keysize), but if you have an old list of cipher suites you’ll probably be using a deprecated cipher- and your clients data may be vulnerable in transit.
The worst one by far is the wildcard certificate; and this is for mostly obvious...
Continue reading →