Re: [W3C Web Security IG] developers security check list from Harry Halpin on 2016-09-06 (public-web-security@w3.org from September 2016)

From: Harry Halpin <hhalpin@w3.org>
Date: Tue, 6 Sep 2016 15:53:00 +0200
To: public-web-security@w3.org
Message-ID: <de0e340c-fa36-ce71-358e-1e0338fdf6bd@w3.org>

On 09/06/2016 03:41 PM, GALINDO Virginie wrote:
>
> Melvin,
> Cant Let's encrypt help on this matter ?
>

Let's Encrypt doesn't do wildcard certs, although that is somewhere in
the feature list. However, unless you have lots of subdomains, it
doesn't make sense to use wildcard certs due to deployment/automation
issues.

https://community.letsencrypt.org/t/please-support-wildcard-certificates/258/72

Instead, you can just get a cert per domain as most people do. The
inconvenience not having free (as in 'free beer') wildcard certs doesn't
justify not using TLS.

   cheers,
      harry

> Virginie
>
>
>
> ---- Melvin Carvalho a écrit ----
>
>
>
> On 6 September 2016 at 11:25, GALINDO Virginie
> <Virginie.Galindo@gemalto.com <mailto:Virginie.Galindo@gemalto.com>>
> wrote:
>
>     Dear all,
>
>     FYI, a github project listing security good practices for
>     development (including web dev).
>
>     https://github.com/FallibleInc/security-guide-for-developers/blob/master/security-checklist.md
>     <https://github.com/FallibleInc/security-guide-for-developers/blob/master/security-checklist.md?ref=producthunt>
>
>
> Re point 1 use HTTPS "everywhere", it would be nice, but that's simply
> not affordable for many developers with wildcard certificates still
> being of the order or $100 per year.
>
>  
>
>     Regards,
>
>     Virginie
>
>      
>
>     ------------------------------------------------------------------------
>     This message and any attachments are intended solely for the
>     addressees and may contain confidential information. Any
>     unauthorized use or disclosure, either whole or partial, is
>     prohibited.
>     E-mails are susceptible to alteration. Our company shall not be
>     liable for the message if altered, changed or falsified. If you
>     are not the intended recipient of this message, please delete it
>     and notify the sender.
>     Although all reasonable efforts have been made to keep this
>     transmission free from viruses, the sender will not be liable for
>     damages caused by a transmitted virus.
>
>
> ------------------------------------------------------------------------
> This message and any attachments are intended solely for the
> addressees and may contain confidential information. Any unauthorized
> use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable
> for the message if altered, changed or falsified. If you are not the
> intended recipient of this message, please delete it and notify the
> sender.
> Although all reasonable efforts have been made to keep this
> transmission free from viruses, the sender will not be liable for
> damages caused by a transmitted virus.

Received on Tuesday, 6 September 2016 13:53:07 UTC