Author

Topic: self ssl certificate vs commerically issued- your thoughts as a buyer? (Read 789 times)

legendary
Activity: 2646
Merit: 1722
https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF
self signed as the CAs cant be trusted, their keys can be stolen, inside jobs, etc. but the self signed cert should be signed with the guys known GPG key to validate it Smiley therefore not even the CAs can break it  Cool

EDIT: this might also be of interest for u: http://convergence.io/

You could always get your "Self-Signed" SSL Cert. Signed for free at CAcert.org At least they have a 4096 bit Root Cert.

Example: http://xeronet.primeoptic.net/about-ssl.php

Convergence.io is really great! Everyone should watch Moxie's presentation - It's brilliant:

BlackHat USA 2011: SSL And The Future Of Authenticity - https://www.youtube.com/watch?feature=player_embedded&v=Z7Wl2FW2TcA

 Cheesy
legendary
Activity: 1039
Merit: 1005
Self signed with GPG key is good but depends on two non-trivial assumptions:
- GPG key of the site's operator is known and trusted
- customer knows how to use GPG in the first place.

Onkel Paul
legendary
Activity: 1792
Merit: 1008
/dev/null
self signed as the CAs cant be trusted, their keys can be stolen, inside jobs, etc. but the self signed cert should be signed with the guys known GPG key to validate it Smiley therefore not even the CAs can break it  Cool

EDIT: this might also be of interest for u: http://convergence.io/
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
I thought about that too.

As an alternative to the whole "cert" system I am using GPG and client-side encryption but the problem with using anything "non-standard" is that your audience gets severely reduced (so I now offer more traditional sign-ups for CIYAM Open as well and very few users are using the GPG sign-up).
member
Activity: 106
Merit: 10
I've only used commercial ssl in the past, but since this wasnt going to be browser based, thought self signed may be sufficient. I state on the signup page that users can switch to the ssl version and accept the certificate if they wish.

Quote
(or are you wanting to make a statement)?
I thought about that too.

David
legendary
Activity: 1039
Merit: 1005
Self-signed provides security against network sniffers but unless your users import the certificate into their browser from a secure source they could be subject to a man-in-the-middle attack.
Commercially issued certificates are quite a bit better because they are always traceable back to a root certificate - MitM attacks are much more difficult for ordinary criminals, although I think there have been cases where criminal governments have compromised CAs to obtain fake root certificates for such purposes.
As a buyer, I would be a bit uneasy when a site uses a self-signed certificate and switches between http and https "arbitrarily". Those sites that use https only for the payment pages typically state that very clearly to avoid confusion.

Onkel Paul
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
I expect that a lot of people would be put off by a "self-signed" certificate just because it seems a bit "too cheap" (even if they weren't worried about the lack of any CA trust-chain).

It really doesn't cost very much to get a cert that is issued so why not spend the money (or are you wanting to make a statement)?
member
Activity: 106
Merit: 10
I recently added accepting bitcoin on one of my sites using bitpay. Since the transaction happens over at the bitpay site, I needed to secure is the API data sent behind the scenes. Therefore I used a self signed SSL certificate. The only personal information recorded on the site is a signup email.

As bitcoin users, is this an acceptable level of security to you? Or do you require SSL on the whole site? Does it have to be a commercial SSL?

David
Jump to: