Extra Pepperoni Is Now SSL Protected

February 10, 2008 at 3:22 pm · Filed under computers, security

I’ve been thinking about using SSL to protect logins to this blog for a while, but thought it would be too complicated. This weekend, I took the time, and thanks to Haris’ Admin-SSL plug-in, it was very easy. First I used cert.command to create a certificate for www.extrapepperoni.com, then I configured my DreamHost account to provide SSL (https://secure.reppep.com/ep/) in addition to the existing http scheme; this took a while to go through. Then I installed Admin-SSL, and after a few loading errors, all authentication and authenticated access is now SSL only, while reading anonymously is non-SSL.

Note that I’m using a certificate signed by my private certificate authority, ca.reppep.com, so you’ll get a warning from your browser that it’s not trusted; this is normal. You can continue past the warning and get full 128-bit SSL encryption; you just don’t have the assurance of a public CA that I am who I say I am.

Thanks to Rich & Sam for encouraging me to do this.

4 Comments »

  1. MacMacken said,

    February 10, 2008 at 7:00 pm

    Good intension, bad action. Can’t you afford a valid SSL certificate? A valid SSL certificate isn’t that expensive!

    SSL certificates like yours make users no longer validate the SSL connections they use since they consider SSL error messages a part of their browsing … SSL only makes sense if it’s more than just a nice padlock icon.

  2. reppep said,

    February 11, 2008 at 9:49 pm

    MacMacken,

    I don’t agree. I’m protecting my password from sniffing, and protecting the confidentiality of commenters. The SSL protection is completely effective for that. For my personal blog, spending a few hundred dollars a year to trust my own certificate would be a waste. If you don’t like, it, don’t login; if you login and the cert has been subverted, you’re no worse off than if there was none.

    But the risk of sniffing anywhere across the Internet is much lower than the risk of EP being compromised.

    I prefer to think I’m educating people about private certs and how to work with them, and practicing what I preach.

  3. chsweb said,

    February 15, 2008 at 6:54 am

    Iv been thinking about getting one. How have you managed ti get one without purchasing the actual certificate?

  4. reppep said,

    February 15, 2008 at 10:47 am

    chsweb,

    Thanks for that softball!

    The answer is I made it myself with openssl (and my handy-dandy cert.command): http://www.extrapepperoni.com/2007/06/25/securing-communications-with-ssltls-a-high-level-overview/

RSS feed for comments on this post

Leave a Comment

You must be logged in to post a comment.