Hacker News new | past | comments | ask | show | jobs | submit login

Just in case people haven't figured it out yet - ACM issues free wildcard certs :)!

http://aws.amazon.com/certificate-manager/pricing/

https://docs.aws.amazon.com/acm/latest/userguide/acm-certifi...




Yes but the certs are only free if you're using AWS to host the service, to clarify for those who don't read the article.

Still very cool!


Dumb question: Can you extract the private certificate and use it elsewhere, or is it held securely and only accessible via specific AWS services?


Yeah, currently the keys are held securely within AWS and it's only available for use within specific AWS services - Elastic Load Balancer & CloudFront at the moment.


So, no.


I mean, since they're offering for free what many others charge ~$100 USD for, I'm not surprised.

That said, SSL certs and domain renewals are the least interesting but high importance items of running an online business. As I'm already heavily deployed on AWS, I have no problem having them handle all of this for me, for what is free to me. (yes yes, not technically free)


So basically don't use this if you care enough about security to pin your certificates.


Why does this stop you from pinning your certificate?


You only care about pinning when you fear that a third actor somewhere between your server and the end client might MitM the connection with a valid certificate.

If a third party controls your keys, certificate pinning is useless to prevent against attacks from that third party or governmental agencies.


Most HPKP deployments pin to root or intermediate certificates of CAs (usually 2 separate CA entities, in case something happens to the primary CA) - meaning in a typical scenario, the attack surface is approximately the same.

Not sure if this approach is common in native applications that pin to keys as well.


Obviously. That doesn't mean pinning is impossible or useless against other threats though, so I don't think the argument makes sense in that general way. I bet there are tons of apps running/with backends running on AWS that should have certificate pinning.


It's always possible to get the public key, e.g. see the accepted answer here:

http://security.stackexchange.com/questions/16085/how-to-get...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: