Bitcoin Forum>Economy>Trading Discussion
Author

Topic: self ssl certificate vs commerically issued- your thoughts as a buyer? (Read 780 times)

BitcoinFX
legendary
Activity: 2646
Merit: 1722
https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF
self ssl certificate vs commerically issued- your thoughts as a buyer?
July 25, 2013, 12:00:11 PM
#8
Quote from: K1773R on July 25, 2013, 10:37:59 AM
self signed as the CAs cant be trusted, their keys can be stolen, inside jobs, etc. but the self signed cert should be signed with the guys known GPG key to validate it Smiley therefore not even the CAs can break it  Cool

EDIT: this might also be of interest for u: http://convergence.io/

You could always get your "Self-Signed" SSL Cert. Signed for free at CAcert.org At least they have a 4096 bit Root Cert.

Example: http://xeronet.primeoptic.net/about-ssl.php

Convergence.io is really great! Everyone should watch Moxie's presentation - It's brilliant:

BlackHat USA 2011: SSL And The Future Of Authenticity - https://www.youtube.com/watch?feature=player_embedded&v=Z7Wl2FW2TcA

 Cheesy
OnkelPaul
legendary
Activity: 1039
Merit: 1005
Re: self ssl certificate vs commerically issued- your thoughts as a buyer?
July 25, 2013, 11:16:44 AM
#7
Self signed with GPG key is good but depends on two non-trivial assumptions:
- GPG key of the site's operator is known and trusted
- customer knows how to use GPG in the first place.

Onkel Paul
K1773R
legendary
Activity: 1792
Merit: 1008
/dev/null
Re: self ssl certificate vs commerically issued- your thoughts as a buyer?
July 25, 2013, 10:37:59 AM
#6
self signed as the CAs cant be trusted, their keys can be stolen, inside jobs, etc. but the self signed cert should be signed with the guys known GPG key to validate it Smiley therefore not even the CAs can break it  Cool

EDIT: this might also be of interest for u: http://convergence.io/
CIYAM
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Re: self ssl certificate vs commerically issued- your thoughts as a buyer?
July 25, 2013, 10:12:52 AM
#5
Quote from: David-M on July 25, 2013, 10:06:42 AM
I thought about that too.

As an alternative to the whole "cert" system I am using GPG and client-side encryption but the problem with using anything "non-standard" is that your audience gets severely reduced (so I now offer more traditional sign-ups for CIYAM Open as well and very few users are using the GPG sign-up).
David-M
member
Activity: 106
Merit: 10
Re: self ssl certificate vs commerically issued- your thoughts as a buyer?
July 25, 2013, 10:06:42 AM
#4
I've only used commercial ssl in the past, but since this wasnt going to be browser based, thought self signed may be sufficient. I state on the signup page that users can switch to the ssl version and accept the certificate if they wish.

Quote
(or are you wanting to make a statement)?
I thought about that too.

David
OnkelPaul
legendary
Activity: 1039
Merit: 1005
Re: self ssl certificate vs commerically issued- your thoughts as a buyer?
July 25, 2013, 08:11:53 AM
#3
Self-signed provides security against network sniffers but unless your users import the certificate into their browser from a secure source they could be subject to a man-in-the-middle attack.
Commercially issued certificates are quite a bit better because they are always traceable back to a root certificate - MitM attacks are much more difficult for ordinary criminals, although I think there have been cases where criminal governments have compromised CAs to obtain fake root certificates for such purposes.
As a buyer, I would be a bit uneasy when a site uses a self-signed certificate and switches between http and https "arbitrarily". Those sites that use https only for the payment pages typically state that very clearly to avoid confusion.

Onkel Paul
CIYAM
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Re: self ssl certificate vs commerically issued- your thoughts as a buyer?
July 25, 2013, 08:09:06 AM
#2
I expect that a lot of people would be put off by a "self-signed" certificate just because it seems a bit "too cheap" (even if they weren't worried about the lack of any CA trust-chain).

It really doesn't cost very much to get a cert that is issued so why not spend the money (or are you wanting to make a statement)?
David-M
member
Activity: 106
Merit: 10
Re: self ssl certificate vs commerically issued- your thoughts as a buyer?
July 25, 2013, 08:03:29 AM
#1
I recently added accepting bitcoin on one of my sites using bitpay. Since the transaction happens over at the bitpay site, I needed to secure is the API data sent behind the scenes. Therefore I used a self signed SSL certificate. The only personal information recorded on the site is a signup email.

As bitcoin users, is this an acceptable level of security to you? Or do you require SSL on the whole site? Does it have to be a commercial SSL?

David
Bitcoin Forum>Economy>Trading Discussion
Jump to: