Bitcoin Forum>Other>Off-topic
Author

Topic: Encrypted HTTP client-server connection (Read 1547 times)

Basiley
newbie
Activity: 42
Merit: 0
Encrypted HTTP client-server connection
June 12, 2011, 11:23:13 PM
#13
Quote from: WilliamJohnson on June 12, 2011, 05:14:05 AM
I think he was referring to self-signed certificates, which you can create yourself.
These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks).

StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).
yep.
but as long as typical hijacker, which is frequently feds/isp, can/might hijack you isp, he can mimic CA activity too, with help of altered browser binary update. there is no way to combat that, than enforce both IPv6 deployment/usage for any kind of mission-critical/society-critical/survival-critical intrastructure/network with enforced crypto and DNSSec too, while both isn't invulnerable, but step ahead.
WilliamJohnson
newbie
Activity: 47
Merit: 0
Re: Encrypted HTTP client-server connection
June 12, 2011, 05:14:05 AM
#12
I think he was referring to self-signed certificates, which you can create yourself.
These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks).

StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).
turlando
full member
Activity: 350
Merit: 100
Re: Encrypted HTTP client-server connection
June 12, 2011, 03:30:22 AM
#11
Quote from: Basiley on June 11, 2011, 03:21:18 PM
Quote from: hamdi on June 11, 2011, 12:02:03 PM
you can use SSL without a paid certificate. given the users trust your non-validated cert.
which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it.
thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.
Do you suggest me StartSSL or another one else?
Basiley
newbie
Activity: 42
Merit: 0
Re: Encrypted HTTP client-server connection
June 11, 2011, 03:21:18 PM
#10
Quote from: hamdi on June 11, 2011, 12:02:03 PM
you can use SSL without a paid certificate. given the users trust your non-validated cert.
which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it.
thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.
WilliamJohnson
newbie
Activity: 47
Merit: 0
Re: Encrypted HTTP client-server connection
June 11, 2011, 01:02:47 PM
#9
The Class1 validation validates your domain name. (They do it by sending you a verification link to [email protected] or a similar address.)
The Class2 validation validates your identity. (You have to send them a picture of your identity card).

Now, as far as encryption goes, I don't think there's a difference between the different classes.

DISCLAIMER: I haven't used any of their certificates myself. (Yet. Except their client certificate.)
turlando
full member
Activity: 350
Merit: 100
Re: Encrypted HTTP client-server connection
June 11, 2011, 12:32:59 PM
#8
Quote from: WilliamJohnson on June 11, 2011, 12:18:20 PM
Yes, their basic certificate isr free.

From their FAQ:

Quote from: StartCom
90.) Why are Class 1 certificates free?
The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.

I'd suggest you have a look at their website: StartSSL™ Comparison Chart

I see that I don't think I really need the things that the free version doesn't offer. The only thing which I am in doubt is the validation level: what the class two or three comports than the class one?
WilliamJohnson
newbie
Activity: 47
Merit: 0
Re: Encrypted HTTP client-server connection
June 11, 2011, 12:18:20 PM
#7
Yes, their basic certificate isr free.

From their FAQ:

Quote from: StartCom
90.) Why are Class 1 certificates free?
The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.

I'd suggest you have a look at their website: StartSSL™ Comparison Chart
turlando
full member
Activity: 350
Merit: 100
Re: Encrypted HTTP client-server connection
June 11, 2011, 12:11:52 PM
#6
Quote from: WilliamJohnson on June 11, 2011, 11:59:00 AM
Nope, they sign it. They're a Certification Authority.
For free? I don't know so much about certificates.
hamdi
hero member
Activity: 826
Merit: 500
Re: Encrypted HTTP client-server connection
June 11, 2011, 12:02:03 PM
#5
you can use SSL without a paid certificate. given the users trust your non-validated cert.
WilliamJohnson
newbie
Activity: 47
Merit: 0
Re: Encrypted HTTP client-server connection
June 11, 2011, 11:59:00 AM
#4
Nope, they sign it. They're a Certification Authority.
turlando
full member
Activity: 350
Merit: 100
Re: Encrypted HTTP client-server connection
June 11, 2011, 11:55:13 AM
#3
Quote from: WilliamJohnson on June 11, 2011, 11:49:45 AM
StartSSL (http://www.startssl.com/) delivers free SSL certificates.
Like self-signed certificate? And so completely useless?
WilliamJohnson
newbie
Activity: 47
Merit: 0
Re: Encrypted HTTP client-server connection
June 11, 2011, 11:49:45 AM
#2
It depends on where you decide to buy your certificate.

StartSSL (http://www.startssl.com/) delivers free SSL certificates. Their root CA certificate is accepted by all browsers, as far as I know.
Their cheapest paid-for certificate costs $60 and is valid for 2 years. (It's not that expensive IMHO)
turlando
full member
Activity: 350
Merit: 100
Re: Encrypted HTTP client-server connection
June 11, 2011, 11:29:26 AM
#1
Hi there,
I'm writing the code for a pool but I am sure that some informations need to transfer in a secure connection with the server. Most pools use an SSL certificate to make the connection secure: how much could it cost? Initially I thought that I could use javacript to encrypt with sha2 the password field in the form before sending it to the server, but there are other informations that I can't send in encrypted form, as the bitcoin address of every user. So I found this but I am not very convinced about that. There other ways? Which is the best?

Thanks,
turlando.
Bitcoin Forum>Other>Off-topic
Jump to: