Re: successfully installed openssl on hosted server - host says there i sno security unless I buy separate certificate - is that right?

me@xxxxxxxxxxxxxx wrote in
news:pqhhq1dbgulisa8cofb4ksaejom571hr42@xxxxxxx:

>
> Craig,
>
> You appear to be reasonably familiar with SSL and the concepts behind
> browser/server communications, judging from the fact you have
> generated your own certificate and installed it on your server. The
> bottom line is that the communications exchanged between your server
> and a visitor's browser through an HTTPS session, will be just as
> secure using your self-signed certificate as they would be using a
> certificate purchased from Verisign or Comodo or any other vendor -
> provided the private key of the key-pair you generated is at least
> 1024-bits. However, this is purely the technological component of the
> security/trust issue.
>
> Just because a communications session between a browser and a server
> is encrypted (SSL-secured), doesn't mean "trust" is automatically
> guaranteed. This is where a so-called "trusted third party" comes
> into the equation. In the real/physical world, a passport is a form
> of "trusted" identification, because the identity of the person who
> has been issued the passport is "vouched for" by the government during
> the process involved in acquiring the passport. In this case, the
> government operates in a role of "trusted authority" (whether one
> trusts or doesn't trust the government in general is irrelevant for
> the purposes of this example, the government is recognized as being an
> authority that can vouch for the passport holder's identity). In the
> online world, the pseudo-equivalent "trusted authority", is a CA - a
> Certification Authority - as in, someone such as Verisign, Comodo,
> Thawte, etc. Here's where the authority comparison doesn't hold the
> same weight compared to physical identification such as a passport or
> driver's license. Why? Because, *who* decided these companies should
> be "trusted authorities"? Just because Microsoft (or other browser
> producer) happens to bundle the root certificates of these vendors in
> with their browser software, is not a convincing reason to assume they
> should be considered "trusted authorities". But over the past number
> of years, these companies have done a terrific job of marketing their
> business interests and have become quite firmly entrenched - in the
> minds of consumers - as exactly that - trusted "authorities".
>
> Therefore, the certificates "signed" by these companies have acquired
> a substantive level of "trust" simply because they have been issued by
> these well-known certificate vendors. And to give credit where it's
> due, in a lot of cases these vendors actually do spend some time and
> effort to check the information provided by a certificate applicant,
> and some amount of due diligence in verifying that the person/company
> that has applied, really *is* who they say they are. But, that's not
> the same thing as saying that the person who's been issued a
> certificate by one of these vendors is actually an honest business, or
> a dishonest one - and all of the certificate vendors flatly disclaim
> any responsibility or liability for anything beyond simple identity
> verification (and even that has disclaimers attached). The
> certificate's purpose is only to "validate" the (supposed) identity of
> the certificate holder. But even that is not always the case -- most
> of the big vendors offer "digital certificates in minutes", and some
> (Go-Daddy comes to mind) even state on their website that there is no
> documentation required and no telephone verification done. The
> certificate is issued the moment the payment transaction has cleared.
>
> As a consumer, you have no way of knowing if the certificate that was
> issued to xyz-widgetware website is one of these instant, "we check
> nothing" types, or a certificate that was issued after the CA actually
> spent some time reviewing copies of incorporation papers, bank
> statements, Dunn & Bradstreet references, and so forth. The only thing
> the consumer sees (or doesn't see) is: the self-issued certificate
> will cause the browser to raise a security popup (once the user
> accepts the certificate, they won't get the warning again), whereas a
> certificate issued by a known vendor will not popup any message box.
> Therefore, the real security question is: how much trust does one have
> in conducting business with an e-commerce website that is using a
> commercial certificate compared to a self-issued certificate? As
> technology professionals we might be able to understand these issues,
> but does the average consumer? We probably all know the answer to
> that - *most* consumers are click-happy - they view popups as mostly
> an annoyance, and thus quickly dispose of them with barely even a
> glance at the message.
>
> However, having said that, things are going to get more difficult for
> those end-users, and this in turn will make this issue far more
> important to anyone who uses (or doesn't use) digital certificates in
> some form or another. Those who have been following the recent
> Microsoft product information announcements regarding the upcoming
> release of IE7 and Windows Vista, will be aware that there are going
> to be impacts to SSL-enabled websites, and likely significant barriers
> to unsigned code downloads (for those developers in this group who
> offer those types of deliverables). The objective is of course to
> tighten security for end users in the interest of protecting them from
> malicious software. According to Microsoft's announcements, users are
> going to see a rise in the frequency of browser warning messages, and
> the number of 'hoops' they must jump through in order to connect to a
> site which is using 'questionable' certificates, and for existing
> certificates which may be being inappropriately used, or which are
> associated with applications or websites that implement SSL formats
> that are no longer going to be supported by IE7. There may be other
> problems that IE7 introduces for existing certificates, which have not
> yet been identified based on the details Microsoft have released so
> far. The information for software developers who do not digitally
> sign their distributables, is that this is going to become more and
> more of a problem also.
>
> Is a self-signed certificate going to present a problem when judged
> against a commercial certificate? Until IE7 (and future technology
> like Vista) hits the market, it's anyone's guess. But whether it does
> or doesn't create a 'technology' problem, the real question is what is
> it worth to the bottom line? At $200 or $400, it could well be worth
> the time to learn how to generate one's own certificate; at $20 or
> $50, perhaps not.
>
> - Brian


A thoughtful and balanced post.

Regards,

.

Relevant Pages