Re: successfully installed openssl on hosted server - host says there i sno security unless I buy separate certificate - is that right?
- From: "NotGiven" <noname@xxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Dec 2005 14:03:22 -0500
"Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
news:PVGpf.48609$uR.28841@xxxxxxxxxxxxxxxxxxxxxxx
> "NotGiven" <noname@xxxxxxxxxxxxxxxxx> wrote in message
> news:fWEpf.1844$RZ6.18@xxxxxxxxxxxxxxxxxxxxxxxxx
>> I successfully installed openssl on hosted server. The host company says
>> that offers no security or encryption unless I buy a certificate from
>> them
>> or a third party like verisign.
>>
>> If I try to open my site using httpS://, a prompt pops up telling me the
>> cert is not certified by anyone and do I want to accept it.
>>
>> I accept it and there is a locked key in the browser.
>>
>> Is the traffic encrypted (thus the tech is wrong)?
>>
>> It is interesting in that the hosting company's login has the SAME prompt
>> when logging in.
>
> Hokay. Here's how it works (the quick version, I hasten to add!)
>
> Basically, there are two types of certificate that allow either a client
> or
> server to stake a claim as to who they are. The most common - and the one
> you're interested in - is a server certificate.
>
> There are a couple of basic checks that a browser can run (does it match
> the
> URL? Is it out of date?), but, end of the day, it's the "clueless user"
> that
> must decide (note quotes).
>
> Of course, they wouldn't necessarily know a phishing site from a hole in
> the
> ground, so what it took was someone to have a bright idea.
>
> Like most things in (fairly modern) Computing, these certificates are
> hierarchical - although they /can/ exist on their own, they don't /have/
> to.
>
> Rather than a "self signed" certificate (= "hand me a mirror; yep, that's
> me"), you can beg or buy (but not necessarily borrow or steal) a
> "sub-certificate" from someone else. If that someone else is big enough
> (e.g. Verisign) and are willing to post a legal safeguard or two (I don't
> think the concept of "this business will last about 40 seconds after the
> first proven compromise" occurred to the lawyers), then they become a
> "Trusted Third Party".
>
> In other words, I might not trust /your/ site, but I trust the TTP to have
> done at least a little bit of checking, and have at least some come-back,
> should you disappear with my life savings.
>
> Now, I see that you're using OE, and so are probably also using IE - go to
> an SSL site (e.g. the login screen for your bank, or eBay), and
> double-click
> the padlock. Take a look at the "Certification Path" tab - the TTP is the
> one at the top. Firefox et al all have their own way of doing things, but
> the information you get is (should be!) the same.
>
> Hokay, so that's why most HTTPS (SSL) sites /don't/ pop up a window -
> there
> are a list of TTPs (jargon alert: "TTP" is a simple concept that can be
> understood by managers, so techies use the term "Certification
> Authorities",
> or "CA"s) - it's only if your certificate isn't one of these that a
> warning
> pops up.
>
> In IE, it's so (ahem) rooted in the structure that "trust this
> certificate"
> won't actually work in most cases - you have to go to the aforementioned
> popup and trust the CA (or "root") certificate. It's called "root"
> because,
> well, why only have two terms to describe exactly the same thing?
>
> Any year now, one of our developers is going to realise this, and ditch
> the
> whole self-signed CA thing when most of our products are installed. It'll
> probably take a dark alley...
>
> Anyway.
>
> Now that we have a certificate, we need a way of guaranteeing that this is
> passed unmolested betwixt server and client; this is where Nutscrape's SSL
> comes in - a mechanism to securely allow the client to decide whether to
> trust a certificate.
>
> So, what encryption does that get us, in terms of securing what your user
> is
> typing?
>
> Well, none.
>
> Na da.
>
> Nothing whatsoever.
>
> SSL is a mechanism that employs encryption to authenticate one or more
> sides
> of the conversation. There's no data traffic involved whatsoever.
>
> SSL == Encryption has always been an Urban Myth, and one that most techies
> who know the difference just nod sagely and ignore - after all, in The
> Real
> World, there's pretty much *always* a variety of encryption suites used.
> "Pretty much" in this context means "this has put food on my table for
> nearly seven years, and I've yet to see someone select the option. But it
> *is* there, so some marked-for-evolutionary-deletion idiot probably /has/
> configured it at some point"
>
> So, to give you the short answer:
>
> 1. You can use a self-signed certificate, which must be in the format that
> your hosting provider's web servers understand (let's face it, put two
> techies in a room, ask them to work out a universal way of doing
> something,
> and you'll get three incompatible standards)
>
> 2. This will popup a dialog box that - if you've got everything right -
> will
> be only moderately terrifying in IE (one red warning, two green ticks) or
> make you hide behind the sofa (Sun JRE)
>
> 3. If you buy a certificate from someone, then the user won't see a
> thing -
> again, assuming that you've got everything right - but won't necessarily
> achieve any more than not scaring the bejezus out of prospective
> customers.
> Some companies use "proper" certificates for anything that a customer
> would
> see, but use self-signing for things like WebMail.
>
> 4. Any encryption will be negotiated between the server and the client;
> best
> practise dictates the strongest possible, but one side can always veto.
> Some
> servers let you set a minimum level, but you're generally at the mercy of
> your hosting provider.
>
> HTH
>
> --
>
> Hairy One Kenobi
>
> Disclaimer: the opinions expressed in this opinion do not necessarily
> reflect the opinions of the highly-opinionated person expressing the
> opinion
> in the first place. So there!
Wow - thanks for the explanation - many thanks
.
- References:
- successfully installed openssl on hosted server - host says there i sno security unless I buy separate certificate - is that right?
- From: NotGiven
- Re: successfully installed openssl on hosted server - host says there i sno security unless I buy separate certificate - is that right?
- From: Hairy One Kenobi
- successfully installed openssl on hosted server - host says there i sno security unless I buy separate certificate - is that right?
- Prev by Date: Re: WinFixer 2005
- Next by Date: Re: WinFixer 2005
- Previous by thread: Re: successfully installed openssl on hosted server - host says there i sno security unless I buy separate certificate - is that right?
- Next by thread: best practices: what's your typical software install for finding PC threats?
- Index(es):
Relevant Pages
|
