Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is, however, ridiculous that DigitalOcean (a quite popular VPS provider) advises innocent webmasters to generate it in the browser with no mention of how insecure this is.

https://www.digitalocean.com/community/tutorials/how-to-set-...



It's a community contributed article - shame DigitalOcean didn't audit it properly though.


If StartSSL gets hacked you are in a bad place no matter what.

And you're more likely to screw up key safety yourself than for that narrow window to be exploited.

I don't think it's ridiculous.


I agree that there's a very slim chance, realistically, of this being exploited. But StartSSL doesn't have to be hacked for a user to be MITM'ed and served malicious JS. Especially given that their site (at least the homepage) loads over plain HTTP.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: