Best IT Recipes

Self-signed SSL or CA certificate?

I would like the authentication and registration parts of my site to be encrypted (for obvious reason). This site is currently an older site that some friends and I started in high school and still use today. I may or may not register it as a non-profit organization in the near future, but in any case, the CA is worth the money, and the organization does not and we are currently college students.

Verisign is unreasonable, and GoDaddy is $ 30 a year. GoDaddy is not too unreasonable, and I think that their certificates are accepted by most web browsers. The thing with GoDaddy is that I don’t know why they have different SSL products (i.e. Why not cheaply check me? Does this have any consequences for the certificate and how the browser treats it if it just contains the name domain?)

Also, is there a problem using my own certificate? Can the login page be http, and there is a line that says that I am using a self-signed certificate, and here it is a fingerprint, and then send the form to the https page? The Safari method is not too bad or sounds too scary. I'm afraid, however, that the firefox 3 method will scare people away and give me a ton of emails saying that my site is hacked or something like that. I do not know how IE responds to self-signed certificates. (There is also the question of why pay for what I can create on my own, without effort, but I will not represent its philosophical part, this is a more practical question.)

In general, do I give GoDaddy $ 30 a year or just tell people in a small paragraph what I am doing and give to the few people who really want to get a fingerprint?

Edit: Some on the forum that I read for more information mentioned that GoDaddy certificates are only provided on the GoDaddy server, which is not. Two things: (1) is this true? and there is another CA at about the same price, so the argument should be the same.

+43
ssl self-signed ca
Nov 15 '08 at 16:31
source share
9 answers

An SSL certificate serves two purposes: traffic encryption (for RSA key exchange, at least) and trust verification. As you know, you can encrypt traffic (or without, if we say SSL 3.0 or TLS) any self-signed certificate. But trust is exercised through a chain of certificates. I do not know you, but I trust verisign (or at least Microsoft, because they paid a lot of money to install it on their operating systems by default), and since Verisign trusts you, I trust you too. As a result, there is no scary warning when I go to such an SSL page in my web browser, because someone I trust said that you are who you are.

As a rule, the more expensive the certificate, the larger the investigation of what issues the certificate. Thus, for advanced verification certificates, applicants must submit more documents to prove that they are who they say, and in return they get a bright, happy green bar in modern web browsers (I think Safari does nothing with it quite yet).

Finally, some companies come with big boys, such as Verisign, solely for the brand name; they know that their customers have at least heard of Verisign, and therefore for people shopping in their online store, their print looks a little smaller than a sketch than, say, GoDaddy's.

If branding is not important to you or your site is not prone to phishing attacks, then the cheapest SSL certificate you can buy, which is installed by root in most web browsers by default, will be great. Typically, the only check is that you should be able to reply to the email sent to the DNS administrative contact, thereby “proving” that you “own” this domain name.

You can use these cheap o certificates on servers other than GoDaddy, of course, but you may have to install an intermediate certificate on the server first. This is the certificate that lies between your cheap-o $ 30 certificate and GoDaddy's "real deal" root certificate. The web browsers visiting your site will look like "hmm, it looks like it was signed with an intermediary, do you have it?" for which it may require an extra ride. But then he will request an intermediate from his server, make sure that it is tied to a trusted root certificate that he knows about, and there are no problems.

But if you are not allowed to install an intermediate link on your server (for example, in shared hosting mode), you are out of luck. This is why most people say that GoDaddy certificates cannot be used on servers without GoDaddy. Not true, but enough for many scenarios.

(At work, we use the Comodo certificate for our online store and the cheapo $ 30 GoDaddy cert to provide internal database connectivity.)

Edited in italics to reflect erickson's clarifications below. Learn something new every day!

+31
Nov 15 '08 at 17:24
source share

There is a common misconception that self-signed certificates are inherently less secure than those sold by commercial CAs, such as GoDaddy and Verisign, and that you must live with browser warnings / exceptions if you use them; wrong .

If you reliably distribute a self-signed certificate (or CA certificate, as suggested by bobince) and install it in browsers that will use your site, it will be as safe as the one that was acquired and not vulnerable to people, medium attacks and certificate forgery . Obviously, this means that this is only possible if only a few people need secure access to your site (for example, internal applications, personal blogs, etc.).

In the interest of raising awareness and encouraging unlikely bloggers like me to protect myself, I wrote an entry-level tutorial that explains the concepts of certificates and how to safely create and use my own self-signed cert (complete with sample code and screenshots): http: //www.clintharris.net/2009/self-signed-certificates/ . Feedback is welcome!

+49
Feb 05 '09 at 2:00
source share

I have not tried them yet, but StartCom was mentioned in the answer to a similar question . Apparently, you can get an annual certificate for free, and it was adopted by Firefox 3.

Even if you have to pay, I would suggest using CA rather than self-signed certificates. Some people will not see your explanation, and a fake site may publish its own fake certificate fingerprint just as you suggest. I doubt that the average user knows what a fingerprint of a certificate is or how to verify it.

+9
Nov 15 '08 at 16:52
source share

Instead of creating a self-signed certificate, create a self-signed CA and sign your HTTPS certificate. It’s easier to ask users to install a CA rather than a single server certificate, and you can create new certificates (for example, for subdomains or renew obsolete certificates) without having to reinstall the server certificate.

You can then decide later whether it is worth $ 30 to switch from a certificate signed by your own CA to the same certificate signed by GoDaddy or by anyone else.

In any case, you do not have an HTTP page with a form submitted to HTTPS. The user cannot see this happening; they would have to look at the source to verify that the form was not captured, to indicate elsewhere, and no one was going to do it. You will need to have a front HTTP page with a CA link and a separate link to the HTTPS login form.

Asking users to set up a CA with a certificate downloaded via simple HTTP is a bit mischievous: if the person was in the middle, they could replace your CA on the fly and capture subsequent HTTPS connections. The chances of this are actually quite low, as it should have been a targeted attack, not just an old automatic sniffing, but in fact you should post the CA download link to some other HTTPS protected service.

Accepting a customer is a question that you can answer by knowing who your users are. Of course, the Firefox interface is too scary. If CAs like GoDaddy dropped to $ 30 these days, I would probably go for it; it was much, much worse.

Assuming support for old and niche browsers is not a problem, just select the cheapest CA. You have to pay to have the CA verify who you are, but in practice it’s not how it works, and it never has been, so paying extra for more thorough checks almost doesn’t work. Verisign extortion prices survive only through corporate inertia.

CAs must receive money for not doing anything, but owning several hundred private keys. Identity material that should have been part of the CA mandate has been transferred to EV certificates. What is more ripping. Joy.

+6
Nov 15 '08 at 17:00
source share

Self-signed certificates are not secure . Yes indeed. “At least it's encrypted” doesn't help at all. From the article:

world-class encryption * zero authentication = zero security

If your site is for you and a few of your friends, you can create your own certification authority and distribute the certificate to friends.

Otherwise, either get a certificate from a well-known CA, or not bother with self-signed certificates at all, because all you got is a false sense of security.



Why is encrypted traffic simply not secure? You always allow the other end to decrypt your traffic (you must, otherwise you will send gibberish).

If you do not check who is on the other end, you allow someone to decrypt your traffic. . Whether you send data to the attacker is wrong or not reliable, the attacker still receives the data.

I'm not talking about verification, for example, paypal.com belongs to a reputable financial institution (this is a big problem).

I'm talking about checking sending data to paypal.com or just to the van around the corner that sends a certificate saying, “Yes, I’m completely paypal.com, and you have a word that is true!”

+2
Nov 15 '08 at 17:05
source share

I just broke down and switched my server with a GoDaddy self-signed certificate last night, and it wasn’t such a big deal, except for their process, not as clear as it could be. $ 30 / year is a reasonable cost, and using a certificate on a server other than GoDaddy is not a problem.

If you are going to publish SSL, get a real certificate signed by a real certificate authority. Even if you work for a minimum wage, you will save more than $ 30 a year in spending time to combat fears or mistrust of users and even before considering any possible lost income due to being scared off your site.

+2
Nov 15 '08 at 17:19
source share

To answer your question about Internet Explorer, it will alert users to any site whose certificate is not signed by IE-known (unfortunately, "trusted") CA. This applies to your own CA and self-signed certificates. It also issues a warning if the domain in the certificate is not the one that is being accessed.

If this is a private site, it may not matter to you as long as you get link-level encryption (and are you worried that someone is sniffing your traffic?). If you have public access and you want to use SSL, you will receive a signed certificate from a recognized CA, as others have already reported.

+1
Nov 15 '08 at 20:13
source share

If this van around the corner can already take over your Internet connection, you have problems with worse than self-signed certificates.

Banks must use client certificates for authentication. This would make it impossible for this van to do anything ... since it does not have a private bank key.

Self-signed certificates are great ... if your internet connection has not been compromised. If your connection has been compromised ... you are probably pursuing anyway.

+1
Nov 19 '09 at 14:52
source share

GoDaddy provides SSL certificates for $ 15 per year through this purchase link on this site. Do not use coupon codes, because then the price returns up to $ 30 per year and discounts from there.

http://www.sslshopper.com/ssl-certificate-comparison.html?ids=17,25,34,37,62

0
Nov 18 '08 at 10:49
source share


More articles:


All Articles