[HN Gopher] Another free CA as an alternative to Let's Encrypt
___________________________________________________________________
Another free CA as an alternative to Let's Encrypt
Author : c0r0n3r
Score : 381 points
Date : 2020-11-23 16:43 UTC (6 hours ago)
(HTM) web link (scotthelme.co.uk)
(TXT) w3m dump (scotthelme.co.uk)
| CyanLite2 wrote:
| Wanted: free CA that offers longer than 90 day certs
| francislavoie wrote:
| Shorter lifetimes are better. There's really no valid reason to
| make them longer. Upgrade your tooling to automate renewals,
| and it's no longer a problem.
| yreg wrote:
| Apple already distrusts certs older than 398 days[0], no matter
| what the issuer says. I can see this lifespan only decreasing.
|
| [0] https://support.apple.com/en-us/HT211025
| gsich wrote:
| Buypass
|
| https://www.buypass.com/ssl/products/acme
| mholt wrote:
| Here is a maintained list of all known, public ACME endpoints:
| https://docs.https.dev/list-of-acme-servers
|
| In Caddy 2.3, Caddy [1] will default to both Let's Encrypt and
| ZeroSSL [2]. If it can't get a cert from one, it will try the
| other. You can configure more too, including self-signed certs,
| as a last fallback for example. Caddy will be the first web
| server and ACME client to support multi-issuer fallback. (Pre-
| releases coming soon, or you can build from source and try it
| today.)
|
| ZeroSSL's website is being updated to clarify that certs are free
| and unlimited through ACME. You can even view them in your
| ZeroSSL dashboard.
|
| [1]: https://caddyserver.com
|
| [2]: https://github.com/caddyserver/caddy/pull/3862
| linsomniac wrote:
| I've been using Caddy on some personal and community sites for
| around a year and it's worked out just great! The built in
| certificate management has been so nice compared to having to
| manage external letsencrypt tooling.
|
| More recently I set up a VM at work to be a domain redirector
| for a bunch of typo domains to our main domains, since the old
| outsourced redirectors didn't have TLS, and it was dead simple!
| ljm wrote:
| Compared to nginx and apache, Caddy is a blast!
|
| I would appreciate better and consistent documentation to do
| more non-trivial things with Caddy, but for your basic use-
| cases it takes a lot of the pain away. Unfortunately, nginx
| and Apache still win on the (probably unfair) basis that
| they've got well over 10 years of history, and all of the
| cultural knowledge that comes with that.
| schoen wrote:
| In Apache's case, 25 years of history already! (Wow.)
| mholt wrote:
| Yeah, I feel that. I want to work on docs and knowledge-
| transfer a lot more in 2021. 2019 and 2020 were definitely
| full of sprinting to bring Caddy 2 up to par. I think in
| terms of major functionality it's settling down now, so
| docs and guides will be more feasible.
|
| In the meantime, I always encourage anyone to contribute to
| our wiki: https://caddy.community/c/wiki/13 -- there's
| already lots of great topics there and room for plenty
| more, especially examples.
|
| Hint: there's a LOT of market space for paid content to
| master the Caddy web server, if anyone reading this is
| looking to profit from their expertise...
| mholt wrote:
| Awesome, glad to hear it! Let me know if you have any
| suggestions for improvements.
| bxk1 wrote:
| For anyone else wondering why they use ZeroSSL as a fallback:
|
| _" Caddy has been acquired by the company behind ZeroSSL"_
| mholt wrote:
| True, that's one reason, but I've been planning this feature
| for years and would have implemented it either way. As
| explained in the linked pull request:
|
| - Let's Encrypt is a busy non-profit organization. We can
| help maximize their budget by not using it as the exclusive
| default for every server.
|
| - ZeroSSL does not have rate limits and is also publicly
| trusted. And yes, it is free to use it with ACME.
|
| - ZeroSSL offers a graphical dashboard where you can log in
| and see and download your certificates.
|
| - Having more than just 1 free ACME CA is a very, very good
| thing for the PKI ecosystem.
|
| This is the beauty of standardization; if you give a server a
| URL, you can give it two and three and four, and not have to
| worry about global reliance on a single source.
| ryan29 wrote:
| There's also a lot of opportunity for CAs to get better
| IMO, so competition is useful. I'd hate to see a commercial
| company displace LE, but there are so many value adds that
| can be sold once you're the CA of choice that it seems
| inevitable that a commercial CA with a LE style free tier
| is going to have a lot of opportunity.
|
| IMO the biggest, easiest feature no CA has implemented is
| CTLog monitoring / reconciliation. The problem I have with
| LE even on a small scale is that I'm grabbing certificates
| for ~20 (sub)domains. I also have several of them set up
| via Cloudflare. With CTLog monitoring notifications (via
| Cloudflare and Facebook), I get too many notifications. I
| don't know what's coming or going or which machines are
| requesting certificates for which (sub)domains.
|
| A service like ZeroSSL is already acting like a central
| point of certificate management (for me), so it's the ideal
| location to do CTLog monitoring since the bulk of
| certificate issuances happen there. That means legitimate
| CTLog entries can be reconciled and ignored silently
| (they'll already show up in the dashboard).
|
| I'm not sure how user accounts work in ACME, but the other
| thing I'd like is to be able to track which user or machine
| requested a certificate.
|
| I'm sure something like that could also be built as a
| proxy. I thought about trying once, but it's firmly in my
| "things I'll never get to" idea box. Lol.
|
| Another problem I've had with LE that could use a solution
| is a 3rd party service that I signed up for requesting
| certificates, but not installing them correctly and hitting
| the LE limits for that domain. If the mindshare changes
| from LE to ACME, maybe there'll be a day where 3rd parties
| will let me specify an ACME provider and link it to my main
| account somehow.
| HeroSSL wrote:
| Please have or be or create my babies. Dang be fucked, I
| bypassed the commenting cocksuckery! Lucky for me.
| geocrasher wrote:
| Another player in this market is Sectigo. They are providing
| cPanel branded free SSL certificates to cPanel servers. Some
| hosts have switched to these because of API rate limiting done by
| Let's Encrypt. Mind you, it's specific to cPanel (a web hosting
| control panel) but that is a _giant_ market.
| mholt wrote:
| ZeroSSL is a Sectigo reseller.
| swiley wrote:
| The only time I've ever had a machine owned was through a
| borken cPanel installation our professor forced on us.
|
| I'm still not sure what it does that I couldn't do with a
| normal ssh session.
| geocrasher wrote:
| It's not for people like you. It's for hosts doing mass
| amounts of hosting for people who couldn't get a directory
| listing at a bash prompt if their life depended on it.
| swiley wrote:
| OSX at least used have support for opening sftp (that is,
| file transfer over ssh) URLs in finder. You don't need to
| know bash to use ssh.
| lambda_obrien wrote:
| How do these services make money?
|
| edit: thanks for the replies!
| dewey wrote:
| https://letsencrypt.org/sponsors/
| toomuchtodo wrote:
| Let's Encrypt is a non profit funded by donors, other vendors
| sell value add services (the free SSL cert is marketing/a loss
| leader).
|
| More options are good, Let's Encrypt is mandatory to ensure
| good (or non predatory or oligopoly) behavior by other cert
| providers. It's a check on their power.
| abcleb wrote:
| Do they sell the private keys to the NSA? Maybe not. It is an
| effort by many companies and groups to make the web more
| secure.
| hu3 wrote:
| Let's imagine they do sell private keys to state actors
| (which I highly doubt).
|
| Would that allow transparent sniffing of traffic encrypted
| with these certs?
| AgentME wrote:
| Most HTTPS connections today negotiate ephemeral keys at
| the start of the connection, so even if an attacker has the
| server's private key (which the CA never sees and couldn't
| sell!), the attacker can't do passive listening attacks on
| connections using it. The attacker would have to do an
| active man-in-the-middle attack that rewrites the
| connection and swaps out the ephemeral keys with keys known
| to the attacker, which risks detection.
|
| If an attacker has the CA's private key, then the attacker
| can mint new HTTPS certificates. They wouldn't be able to
| do passive listening attacks on connections, but they could
| use an active man-in-the-middle attack to swap out the
| server's certificate in the connection. However, this
| attack could be detected through Certificate Transparency,
| and the CA's leaked keys would become untrusted by
| browsers.
| blibble wrote:
| they couldn't sell your private keys to the NSA as they don't
| have them as they're generated locally on your machine and
| never leave it
|
| they could sell their keys, but impersonations would likely
| be spotted thanks to certificate transparency
| huhtenberg wrote:
| They don't see the private keys.
| cocoa19 wrote:
| They can't sell the keys since they don't have them.
|
| NSA could still mount an attack by asking the CA to register
| NSA's certs as valid, and tamper the victim's network
| connection. What makes certs secure is our trust in
| certificate authorities.
| brunoluiz wrote:
| Let's encrypt is not run for profit, and is sponsored by many
| companies.
|
| https://letsencrypt.org/about/ https://www.abetterinternet.org/
| Spivak wrote:
| But a more direct answer to the parents question is that they
| "make money" by providing a service that by virtue of its
| existence saves the sponsoring companies money and headache.
|
| I'm surprised this model isn't more common as an alternative
| to licensing.
| anonunivgrad wrote:
| Collective action problem. You don't have to sponsor to
| reap the benefits. You can pull it off for this or that
| cause celebre, but it's not a workable model in general.
| 0df8dkdf wrote:
| well when you are service that has to rely on them to renew
| your site every 90 days, the data alone from different site is
| worth money.
|
| " The world's most valuable resource is no longer oil, but
| data." ~The Economist, May 6, 2017
| dewey wrote:
| Except that they (At least in LE's case) are funded by a lot
| of companies and donors and are not in it for the money.
|
| https://letsencrypt.org/privacy/#we-do-not-sell-your-data-
| or...
| hedora wrote:
| What information can they (theoretically) gather beyond
| certificate renewal times (which can be inferred by any web
| scraper)?
| wolco2 wrote:
| Not all extensions can be scrapped.
| duskwuff wrote:
| Roughly all SSL certificates can be discovered through
| Certificate Transparency logs. Being the CA doesn't
| really provide you with any additional information,
| beyond the source IP of the agent requesting the
| certificate (which, in most cases, is the same as the IP
| that the certificate's hostname resolves to).
| 0df8dkdf wrote:
| Well you don't have to scrap it. And a centralised CA
| authority seems dangerous. I'm not saying LE is bad it one
| of good thing that came along. However, whenever we trust
| to one authority it alway gets dangerous. So yes I
| personally welcome another CA. However, don't think your
| data is or will not be used for something. Organization
| change, and people who runs the organization change.
| chokeartist wrote:
| I have ran my own CA in various capacities (workplace,
| private [hobby]). I will say that LE is wayyyy easier
| than trying to splice in my root certificate to X number
| of systems. Also some systems do NOT support custom self-
| signed root certificates.
|
| I acknowledge your points with the risk of intelligence
| leaking. However most DNS is benign / not a state secret
| in general.
| TheDong wrote:
| > Well you don't have to scrape it
|
| Certificate logs from the certificate transparency
| project [0] are already public knowledge and shared
| freely.
|
| The only thing lets encrypt gets in addition to what's in
| those logs and publicly discoverable is what challenge
| you chose (dns or tls), and what email you're using.
|
| > So yes I personally welcome another CA
|
| More CAs generally means more chance that one CA loses a
| private key or has a vulnerability. Tragically, since
| browsers trust all CAs for all websites, if the new CA
| has an issue, people can forge TLS certs for my website
| even though I have no intention of ever using that new
| CA.
|
| In a very real way, having an excess of CAs is bad for
| the security of the entire internet. Letting anyone
| become a trusted CA would be an unequivocal disaster, so
| clearly more CAs isn't always good.
|
| I do think there's a balance, where we should have
| several viable CAs that we trust to be secure, but not
| 100s of them, just 10s. We already trust a ton more roots
| than that, so right now I see a new CA as being
| detrimental to security overall.
|
| That all being said, I'm pretty sure this CA is using an
| existing trusted root and processes, so since it doesn't
| require cross-signing in a new root, it's less big of a
| deal.
|
| [0]: http://www.certificate-transparency.org/how-ct-works
| [deleted]
| certera wrote:
| > Why not just use Let's Encrypt? ZeroSSL comes with significant
| advantages compared to Let's Encrypt, including access to a
| fully-featured SSL management console, an REST API for SSL
| management, SSL monitoring, and more.
|
| This is where I shamelessly plug my project, Certera:
| https://docs.certera.io
|
| I love LE, like really really love it. I was surprised to hear
| that certs were going from 2 to 1 year expiration and that made
| me really pause for a second to think about the lack of proper
| infrastructure around certificates, especially LE certs. I
| envision these short lived certs from LE/ZeroSSL needing some of
| the components that ZeroSSL mentioned above and much, much more.
| Eventually, if/when we have 1 week/1 day cert expirations, we'll
| need a certificate exchange system to better handle complex
| scenarios where other parties are involved (i.e. when doing
| client certs, SAML certs, etc.).
| unixhero wrote:
| Why is this needed? Genuinely curious.
| the8472 wrote:
| eggs, when the basket fell
| jamescun wrote:
| Probably just an oversight, but I find it odd their (ZeroSSL)
| site does not use a certificate issued by their own CA, it is
| instead one of CloudFlare's SNI certificates.
| mholt wrote:
| This is common for sites that are behind a TLS-terminating CDN.
| (They could still be using one between their origin and
| Cloudflare.)
|
| In general it doesn't matter who issues the certificate as long
| as they're trusted.
| jamescun wrote:
| You are correct, however CloudFlare does support supplying
| your own certificate, and I'd consider it an element of
| dogfooding to use their own CA on their own site.
| snazz wrote:
| It's also worth mentioning that you can give Cloudflare your
| own certificate to use if you care what users see. I think
| this option might require one of the paid Cloudflare plans.
| cordite wrote:
| This links to ZeroSSL.
|
| They only offer 3 domains for free on their pricing page.
|
| https://zerossl.com/pricing/
| jakobmartz3 wrote:
| only 3???
| mholt wrote:
| Their pricing page is being revised. You get free unlimited
| certs through ACME, including wildcards.
|
| > In an effort to ensure the widest possible SSL certificate
| coverage around the world, our team has decided to keep all
| ZeroSSL certificates created using the ACME protocol completely
| free of charge.
|
| https://zerossl.com/features/acme/
| da_big_ghey wrote:
| Good to know, and I'm glad there's an alternative to Let's
| Encrypt, just in case. Is ZeroSSL trusted by old Android
| devices? If so, that might be a work-around for Let's
| Encrypt's cross-signing from IdenTrust expiring.
| mholt wrote:
| Yes as far as I know; their Sectigo/Comodo root is older.
|
| But, you can still use Let's Encrypt with old Android
| devices until the later part of 2021 using the alternate
| chain: https://letsencrypt.org/2020/11/06/own-two-feet.html
| (As a point of reference, Caddy supports configuring this
| alternate chain.)
| stephenr wrote:
| If zerossl is reselling/a subsidiary of sectigo, that's
| enough reason to never use this.
|
| Sectigo is the new name for Comodo. The same bunch of
| pricks who tried to trademark "Let's Encrypt".
|
| Other players in the acme cert "business" is great.
| Renaming a slime ball name and carrying on like nothing
| happened is not ok.
| pbronez wrote:
| "If you can't beat 'em, join 'em"
| yjftsjthsd-h wrote:
| How on earth are they making money, then?
| ryan29 wrote:
| IMHO there's an opportunity for a lot of disruption in the
| CA industry. Managing a lot of certificates gets out of
| control pretty quickly and if they build a system with
| decent hierarchical authentication you can start to see a
| situation where large companies might opt to use them for
| most (or all) certificates. Put another way, imagine being
| able to log into your dashboard, create a sub-user and
| assign permissions for that sub-user to issue certificates
| for subdomain.example.com.
|
| You can limit certificate issuance to a single issuer via
| CAA in DNS, so you could set your domains to use ZeroSSL
| exclusively and ZeroSSL could validate ownership of a
| domain to allow you to create that hierarchy.
|
| I can think of a lot of value added services that can be
| sold alongside SSL certificates. One example would be CTLog
| monitoring including for lookalike (FACEB00K) issuances.
|
| The other thing with SSL is that a lot of people equate it
| with domain security, so I think there's a certain level of
| domain monitoring that could be sold alongside
| certificates. Things like domain expiration monitoring,
| registration of lookalike domains, NS changes, DMARC
| reporting, etc. all start to feel like a single "domain
| security" service.
| richardwhiuk wrote:
| Plus no wildcard support (which Let's Encrypt provides).
|
| They say "No REST API access" - but presumably ACME does work?
| edoceo wrote:
| What! LE does wildcard now!?
|
| /me searches...
|
| https://community.letsencrypt.org/t/acme-v2-production-
| envir...
| zymhan wrote:
| Oh yes, it's a lifesaver.
| rohansingh wrote:
| Yeah, looks like ACME is indeed free and includes wildcards:
| https://zerossl.com/letsencrypt-alternative/
| surround wrote:
| It says "no credit card required." Can they stop people from
| making multiple accounts and getting unlimited certificates?
| gtirloni wrote:
| Throttling
| qurashee wrote:
| This reminded me the beginning of Spot/Exceed
| https://www.youtube.com/watch?v=2qbAfyF6IIc and Contour/TBL, both
| classic demos now.
| analyte123 wrote:
| It's good that there are alternatives, particularly those that
| are outside the scope of US law, where at least some CAs believe
| certificates can be revoked for copyright reasons [1]. Let's
| Encrypt says they can revoke your cert if "our Certificate is
| being used, or has been used, to enable any criminal
| activity...[or] ISRG is legally required to revoke Your
| Certificate pursuant to a valid court order issued by a court of
| competent jurisdiction" [2]. But I'm sure Austria where ZeroSSL
| is based is still party to a number of copyright conventions and
| law enforcement data sharing agreements.
|
| [1] https://torrentfreak.com/sci-hub-pirate-bay-for-science-
| secu... [2] https://letsencrypt.org/documents/LE-
| SA-v1.2-November-15-201...
| gsich wrote:
| Buypass is Norwegian.
| DyslexicAtheist wrote:
| > But I'm sure Austria where ZeroSSL is based is still party to
| a number of copyright conventions and law enforcement data
| sharing agreements.
|
| it is!! in recent news:
| https://news.ycombinator.com/item?id=25091994
| jeremiahlee wrote:
| Now, one of them just needs to provide certs for .onion domains.
| SalimoS wrote:
| Isn't the hash ( before the . Onion) is the public key ?
|
| So technically we don't need a cert for onion
| surround wrote:
| Some onion websites use the certificate as an anti-phishing
| measure. Since onion domains are hard to remember, a
| certificate can verify that you are, indeed, connected to
| e.g. Facebook's servers and not a phishing website.
| bawolff wrote:
| Presumably worked a lot better when EV certs got the fancy
| UI
| lights0123 wrote:
| That's EV though, and it looks like DigiCert is the only
| one that does it for .onion:
| https://crt.sh/?Identity=%25.onion
|
| They do offer ACME though:
| https://docs.digicert.com/certificate-tools/Certificate-
| life...
| milkey_mouse wrote:
| You're correct, but I recall a Tor dev saying at one point
| that HTTPS for .onion wasn't completely useless, I think in
| that more secure settings (CSP, etc.) apply to pages loaded
| with HTTPS.
| jeremiahlee wrote:
| The Tor Project discussed the advantage a little in this
| blog post ("Part four: what do we think about an https cert
| for a .onion address?"):
| https://blog.torproject.org/facebook-hidden-services-and-
| htt...
| tashian wrote:
| The ACME protocol (used by Let's Encrypt / ZeroSSL) can be used
| with internal infrastructure, too. I know that some folks already
| use Let's Encrypt to issue internal TLS certificates, but that's
| not always ideal. Step CA[1] is an ACME v2-compliant, open source
| CA that supports all of the challenge types as Let's Encrypt /
| ZeroSSL.
|
| [1]: https://github.com/smallstep/certificates/
| freedomben wrote:
| Nice, thanks for the tip! I've needed something like this a few
| times the last few months and knew there _had_ to be something
| out there I was missing. This looks awesome.
| stephenr wrote:
| It's been mentioned zerossl is a reseller for "sectigo", which is
| the new name for Comodo.
|
| Comodo are the bunch of cunts who tried to trademark "let's
| encrypt". There's zero reason to give them any market share or
| business.
| 1MachineElf wrote:
| Thanks, I wasn't aware of ZeroSSL's history there. Are there
| any links you can share about that fiasco?
| stephenr wrote:
| https://en.wikipedia.org/wiki/Comodo_Cybersecurity#Let's_Enc.
| ..
| nickf wrote:
| To be clear, Sectigo was split from Comodo by PE. They are
| separate companies. The CEO at Comodo who did the LE
| trademarking attempt hasn't been a part of Sectigo and the
| CA for 3 years. Sectigo have also worked with LE and helped
| to sponsor the CT log they operate.
|
| It may not change your opinion, but it's important to be
| aware of the details.
| quesera wrote:
| > Comodo are the bunch of cunts
|
| Ugh, surely you're aware of how poorly that word, as an
| epithet, lands for most of the English-speaking population.
|
| Your message is worth hearing. It will be lost if you can't
| communicate it well.
| stephenr wrote:
| Yes, it's an insult. I'm insulting them. That's why I wrote
| it.
| quesera wrote:
| That word does not insult Comodo. It makes you easy to
| disregard, while simlutaneously being offensive to a much
| larger group of people. Surely this doesn't surprise you?
|
| If you are, in fact, a member of UK/AU lad culture, then
| even _if_ the term is culturally-appropriate, you still
| need to be aware of your audience to not come off as a
| tosser [EDIT i.e. the self-identified obnoxio contingent of
| said subculture, sigh, but of course that is the joke.
| "Tosser" is just a generic epithet because it is not
| focused -- which is true of "cunt" _inside_ said
| subculture, but very much not true _outside_ said
| subculture, including most of the audience here... I really
| feel like this doesn 't require so much explanation].
| stephenr wrote:
| _irony intensifies_
| haroldp wrote:
| "Tosser" insults masturbators, casting an even wider
| insult-net.
|
| Only it doesn't really, because everyone knows that it's
| idiomatic. If I said you were "cool", you would not take
| that to mean your temperature was low. :)
| surround wrote:
| Unlike LetsEncrypt, it supports certificates for IP addresses,
| which is nice for hobbyists who don't want to buy a domain.
| scaladev wrote:
| Why would you necessarily buy a domain? I use lots of free
| domains in .tk and .cf, they work great.
|
| https://freenom.com/
|
| For frequently changing IPs there are also services like
|
| http://duckdns.org
|
| which provide you with a third-level domain like
| xyz.duckdns.org
| djsumdog wrote:
| .ml domains tend to disappear when they get popular, and
| sometimes you can't even buy them at that point. With those
| free DNSes, you get what you pay for. Don't use them for
| anything important.
| a3_nm wrote:
| Interesting, thanks! Do you have a link to know more about
| people to whom this happened?
| snazz wrote:
| I know three people personally who used Freenom domains and
| lost access at some point. I've never actually been
| successful at getting it to give me a domain in the first
| place, but the last time I tried was years ago. So definitely
| be careful hosting anything vaguely important on one of those
| domains.
| stevewillows wrote:
| I've got one domain with freenom. You have to manually
| renew it every year, but otherwise it's fine for totally
| useless projects.
|
| For anything with even the smallest bit of value, a cheap
| tld like .party can be had for a decade for around $20.
| surround wrote:
| Why get a domain, if you don't need one?
|
| The free .tk domains are only free for 1 year. And even if
| you are only going to use it for a year, some people would
| rather not give out their credit card number for a free
| trial.
| scaladev wrote:
| Please stop spreading misinformation. You don't need a
| card, you don't have to provide any identification at all.
| The domains are free for as long as you want (I've been
| using one for the last 3 years), you just have to click a
| button once a year, and freenom sends you emails two weeks
| in advance.
| spurgu wrote:
| Correct. I just got one with a fake name and address, no
| phone number needed, nor a credit card.
| surround wrote:
| Perhaps I'm mistaken, but I believe at one point in time,
| years ago, they required a card for the free
| registration. It certainly wasn't my intent to spread
| misinformation.
|
| Now I'm wondering, how does Freenom make money?
| da_big_ghey wrote:
| No, they can be renewed for another free year indefinitely,
| as far as I know. I don't believe they require a credit
| card number, either. I've had a few freenom domains I've
| renewed for several years in a row and just got some new
| ones a few months ago; it's a very useful service.
| nix23 wrote:
| Don't forget freedns.
| 1vuio0pswjnm7 wrote:
| "Why would you necessarily buy a domain?"
|
| E-mail is one example. Technically domain names are not
| necessary to successfully send own mail with own server,
| i.e., without using a 3rd party email provider. E-mail
| predates DNS; mail software has always supported IP
| addresses. However, today, the dominant 3rd party e-mail
| providers will reject mail coming from an IP address not
| associated with a domain name.
| hackerbee wrote:
| The patchwork of anti-phishing and anti-spamming measures
| like SPF and DKIM require DNS TXT records. Allowing mail
| from an IP address would likely be used almost exclusively
| for spamming.
| da_big_ghey wrote:
| Duckdns is good, though I really like Hurricane Electric's
| DNS: dns.he.net/
|
| It offers a lot for free; I started using it when I moved off
| cloudflare and have quite liked it.
| IgorPartola wrote:
| I really like and use HE.net but it's API is definitely not
| ideal, last I checked.
| carbocation wrote:
| I have one domain that is shared by all of my projects, which
| sit on subdomains. It's a happy in-between for me.
| dheera wrote:
| It's usually harder to buy a static IP than a domain ...
| gruez wrote:
| According to the CAB baseline requirements it doesn't look
| like you need to prove ownership of the IP address to get a
| certificate for it.
|
| https://cabforum.org/wp-content/uploads/CA-Browser-Forum-
| BR-... (section 3.2.2.5.1)
___________________________________________________________________
(page generated 2020-11-23 23:00 UTC)