Solved

*** BEST SSL CERTIFICATE?

Posted on 2004-10-21
3,602 Views
Last Modified: 2012-06-27
I would like to know which is best.

I would also like to know if there are any free ones.


Godaddy's one offers a free dedicated IP - how's this work?
0
Question by:Serotonin_X_Infinite
    18 Comments
     
    LVL 51

    Expert Comment

    by:ahoffmann
    >  I would like to know which is best.
    there is no difference.
    Or what in particular do you mean with "best"?

    > I would also like to know if there are any free ones.
    any cert you make yourself is free, somehow. Just install you own CA and make your own self-signed cert (for example using openssh). But keep in mind that you need people to trust *your* cert ;-)
    0
     
    LVL 1

    Author Comment

    by:Serotonin_X_Infinite
    how do I make it trusted by default like the paid for ones?
    0
     
    LVL 13

    Expert Comment

    by:hstiles
    The point of a certificate being trusted is that it has been issued by a trusted certificate authority.  So the point of a trusted certificate is completely negated if you have a certificate that you have created yourself.  Such certificates are fine for internal use to secure resources, etc... but if you are publishing a commercial site, users would be quite justified in questioning the authenticity of your site if it using a certificate that you have issued yourself.
    0
     
    LVL 8

    Expert Comment

    by:RLGSC
    Serotonin,

    There is no "Best". It is a question of which Certification Authority is trusted. All of the major firms in this sector (e.g., Verisign, Thawte, GoDaddy, and some others) have name recognition. The important question is "Who is trusted by your customers?"

    Self-signed certificates represent another class of problem entirely. Certifying that "you are yourself" is not generally useful, except for testing. Internally, within your organization, it is possible to have an internal Certification Authority, whose authenticity should be tied back to a master company certificate issues by an external Certification Authority.

    The reason that I say "tied to a master company certificate issued by a major certification authority" is simple. Web browsers and other certificate-aware packages generally install knowing the identify of major certification authorities. Using this knowledge to your advantage save large amounts of effort. Otherwise, you would have to install your company's root certificate in each and every system in the organization, a large initial project, and a large ongoing maintenance effort. The minimal amount required to get a master certificate from an external certification authority is inexpensive by comparison.

    I hope that the above is helpful.

    - Bob (aka RLGSC)
    0
     
    LVL 51

    Expert Comment

    by:ahoffmann
    >  how do I make it trusted by default like the paid for ones?
    buy a "trusted" cert to sign your own ;-)
    0
     
    LVL 51

    Expert Comment

    by:ahoffmann
    Or ask yourself: would you trust someone showing you his/her selfmade passport, insisting on to tell you that everithing you see is the truth?
    0
     
    LVL 9

    Accepted Solution

    by:
    you can get it for free: http://www.cacert.org/
    this is kind of an open source aproach to certification. And it explains everything you need on the site. It is free, so you don't have to pay, but you have to identify yourself to be trusted.
    0
     
    LVL 1

    Author Comment

    by:Serotonin_X_Infinite
    Thankyou
    0
     
    LVL 8

    Expert Comment

    by:RLGSC
    Serotonin,

    A suffix on the posting by GeG:

    A visit to the CACERT.ORG www site is quite interesting. Attempting to register on the site takes you to an SSL-protected page that requests a variety of information (e.g., name, date of birth) which is generally referred to as "Personally Identifying Information".

    The root certificate for www.cacert.org is a SELF-SIGNED CERTIFICATE.  On first glance, there is no assurance that they are who they claim to be except, of course, for their word.  

    There are two issues here.

    1 - In what I will admit is a casual examination of the cacert.org www site, I do not see any names of individuals or organizations behind this effort. I find this somewhat surprisiing.
    2 - The CACERT.ORG certificate DOES NOT accomplish the goal you mentioned earlier, that of allowing secure communications to machines in your organization WITHOUT the need to manually install the certificates. In fact, attempting to access the signon page for CACERT.ORG requires me to accept their self-signed certificate as proof of authenticity. This is not a good practice.

    While I am neutral on the question as to the good intentions of those involved in CACERT.ORG, I can say that if I were interested in perpetrating an identity theft, getting people to give me their personal identifying information would be an IDEAL first step.

    The purpose behind getting a certificate is not to just "get a certificate", it is to establish one's identity and authenticity. In this matter, details count. Identity verification that is vouched for by someone whose own credentials are not tied to anything is not verification; it is the same as declaring your dwelling a sovereign nation and issuing your own identity documents. They may be visually appealing, but they will not get you a driver's license or be accepted as a valid passport.

    I hope that the above is helpful.

    - Bob (aka RLGSC)
    0
     
    LVL 8

    Expert Comment

    by:RLGSC
    Serotonin,

    I inadvertantly ommitted one item from my post just now.

    There are numerous published descriptions of how trust hierarchies work. I also believe that you will find a full description of certificates in the "Computer Security Handbook, 4th Edition" (Bosworth and Kabay, 2002).

    - Bob (aka RLGSC)
    0
     
    LVL 51

    Expert Comment

    by:ahoffmann
    RLGSC: full ACK

    BTW, go to that site, click on "lost password", wait for page then change from https to http
    key in following as email adress and submit:
       doesntmatter"><div style="position:absolute;top:0px;"><iframe src=www.ard.de frame_border=0>

    It's all for free, as they state (and totally unsecure they forgot to tell you)
    ROFLOL

    0
     
    LVL 9

    Expert Comment

    by:_GeG_
    @ahoffman
    this is not a security hole. I agree it is not very professional to output unchecked user input on the site, but it has no securtiy issues at this point.

    @Bob

    I don't think that you understood the sense of cacert. A few quotes from cacert.org, and then my opinion ;)

    [quote]CAcert.org was designed to be by the community for the community, and instead of placing all the labour on a central authority and in turn increasing the cost of certificates, the idea was to get community in conjunction with this website to have trust maintained in a dispersed and automated manner![/quote]

    Umph, since they changed to their new website, there is no info anymore. Maybe I should stop recommending them. How it should work:
    They try to create a web of trust. They try to have users that can check the identity of other users. Once you are checked by 2 users personnally and with id, you can check also. You can see this when logged in (stupid to hide information, I sent them an email):

    [quote]The Web of Trust system CAcert uses is similar to that many involved with GPG/PGP use, they hold face to face meetings to verify each others photo identities match their GPG/PGP key information. CAcert differs however in that we have modified things to work within the PKI framework, for you to gain trust in the system you must first locate someone already trusted. The trust person depending how many people they've trusted or meet before will determine how many points they can issue to you (the number of points they can issue is listed in the locate notary section). Once you've met up you can show your ID and you will need to fill out a CAP form which the person notarising your details must retain for verification reasons. You can also get trust points via the Trust Third Party system where you go to a lawyer, bank manager, accountant, or public notary/juctise of the peace and they via your ID and fill in the TTP form to state they have viewed your ID documents and it appears authentic and true. More information on the TTP system can be found in the TTP sub-menu.[/quote]

    [quote from Bob]1 - In what I will admit is a casual examination of the cacert.org www site, I do not see any names of individuals or organizations behind this effort. I find this somewhat surprisiing.[/quote]

    I agree. But about the mail address with a PO Box, thawte's contact:
    thawte Consulting (Pty) Ltd
    PO Box 2749
    Durbanville, 7551
    ;)

    [quote from Bob]The CACERT.ORG certificate DOES NOT accomplish the goal you mentioned earlier, that of allowing secure communications to machines in your organization WITHOUT the need to manually install the certificates. In fact, attempting to access the signon page for CACERT.ORG requires me to accept their self-signed certificate as proof of authenticity. This is not a good practice.[/quote]

    Yes and no. Generally it is not a good idea to install self signed certificates. But cacert wants to be a root certifier. And to get the root certificate installed in the ie, you will probably have to pay a lot. Which is not possibe for an os movement. So the initial goal was to get many users to install the certificate themselves, so that in the end it would be installed everywhere. But with this website they will not achieve that goal :(

    Ok, now to better explain why I think it is a good idea, and why I think the old website was better, have a look yourself:
    http://web.archive.org/web/20040203073903/http://www.cacert.org/
    0
     
    LVL 1

    Author Comment

    by:Serotonin_X_Infinite
    Do you know how much money and where to go to get a self signed certificate integrated into mainstream?
    0
     
    LVL 9

    Expert Comment

    by:_GeG_
    I use http://geotrust.com/, which has a good value.
    0
     
    LVL 8

    Expert Comment

    by:RLGSC
    Geg,

    I will not deny that the PGP "web of trust" idea has some interest. The problem is when those who understand the strengths and limits of such a system encounter the less knowledgeable. In the end, the role of a certification authority is to stand behind their credentials, not just act as a clearing house for other people's opinions. That is why we have notaries, signature guarantees, and other authenticity systems in the real world.

    The cost of an SSL certificate is less than US$ 30.00/year (the current price from an affiliate of GoDaddy.com, a major registrar).

    This is not the place for a full discussion of X.509, but you DO NOT need your root certificate installed with the browser to
    issue your own certificates. There is a difference between a root certificate (head of a tree of trust, generally pre-installed with the browser), and a master certificate (used to sign other certificates; it in its turn, is the starting point in a chain of trust which goes up the trust tree until it encounters a root certificate).

    As to the process used by CACERT.ORG, the information collected by CACERT.ORG can be used for identity theft. In particular, date of birth is one of the most common points of such scams. While I have not signed up with them, the "Contact Us" information is limited to a PO Box in Australia (your reference to Thawte is undeserved, they are a subsidiary of Verisign, which can be seen very clearly from their www site and from documents filed with the annual reports and required filings with securities regulators).

    If a business cannot justify US$30/year for an SSL certificate (less than the cost of a single telephone line for one month), there is a different problem.

    - Bob (aka RLGSC)
    0
     
    LVL 51

    Expert Comment

    by:ahoffmann
    > ..  but it has no securtiy issues at this point.
    well, if I find a SSL-secured login which can be used without SSL, If that is not security, what is security then?
    If i can overlay thecomplete page with such a simle string, I get enything in context of that site, and the cert
    given before ('cause I use SSL) makes me believ that I'm there.
    Such loosy programmed interfaces are phishers best friend. The user has no idea what's going on, the cert
    seems to proof that the content is correct (I'm not discussing this spoofing problem here, but  people
    tell you that https "proofs the content is provven", which is not true). The conntent is correct, but not belonging to the cert.

    Should I trust such a site?
    If they don't know how to secure themselfs, why should I believe that their cert is secure?
    This site also shows me, that the "makers" don't know how to take care about web security, there are logical
    and smantical errors, and the site is vulnerable for spoofing. If these people have the same knowledge about
    certs, I'd better spend a few bugs. Much better that having trouble with a free one.

    OK, just IMHO, make your own decission, please.
    This is a security TA, and the link is a good example for what is unsecure, at least unreliable ;-)
    0
     
    LVL 9

    Expert Comment

    by:_GeG_
    @ahoffman
    >Such loosy programmed interfaces are phishers best friend. The user has no idea what's going on, the cert
    seems to proof that the content is correct (I'm not discussing this spoofing problem here, but  people
    tell you that https "proofs the content is provven", which is not true). The conntent is correct, but not belonging to the cert.

    No, afaik you cannot use it for phishing, because you cannot send somebody a link to the overlayed site. The form information is send by post, so it cannot be incorporated in a link.
    And it is rather unlikely that somebody follows an email like this:
    hi,
    open cacert login,
    enter "doesntmatter"><div style="position:absolute;top:0px;"><iframe src=www.ard.de frame_border=0>" as login,
    and now enter the real login
    :D

    Again I agree that this should not happen, but since I like the idea behind cacert so much, I don't want to damn them just because of an irrelevant mistake.

    @Bob
    >This is not the place for a full discussion...
    afaik cacert is supposed to work like this:
    cacert has a root certificate (would also work with a master certificate, but this is not affordable for an os movement)
    and they have individuals who's identity is established, who each of them get a master certificate. Now if you want a master certificate of your own, you go to 2 of these individuals, show them 2 photo ids, and they verify you. Now you get a master certificate and can verify others.
    And also you can issue certificates for yourself and others.
    It starts with a few people in whom you must trust. But from this point on, you can always check, who issued a certificate to whom, and if something goes wrong, you can always hold liable the one who misused his/her certificate.
    Of course this is an overkill if you need just one server certificate. But if you have more than one server, and a few office emails that you want to encrypt, then it suddenly makes sense.

    >As to the process used by CACERT.ORG, the information collected by CACERT.ORG can be used for identity theft. In particular, date of birth is one of the most common points of such scams...
    hm, and if you give the same info to verisign, it cannot be used for identity theft?

    >While I have not signed up with them, the "Contact Us" information is limited to a PO Box in Australia (your reference to Thawte is undeserved, they are a subsidiary of Verisign...
    ok, contact for verisign:
    VeriSign Worldwide Headquarters
    487 East Middlefield Road
    Mountain View, CA 94043

    I live in Austria, Europe. For me they are as unreachable as a PO box in Australia. (if they are there, have you checked or do you just believe their web site?)
    Why do you believe in Verisign, but not in cacert? Probably because there is a (monetary) web of trust between microsoft and verisign. As soon as they have the root certificate in the internet explorer, everybody trusts them. And should it ever be misused, it is a national emergency, and you are not alone. I mean verisign is not controlled by a the UN or some worlwide supervision organisation. They are just a company, who could decide that they would earn more money by selling their user data. I think that your trust is based on a status quo rather than on your on decision.

    I personally think that cacert is a good idea, and they deserve a chance.
    0
     
    LVL 51

    Expert Comment

    by:ahoffmann
    hmm, I like the idea too, no problem.
    But trustworthy is most important for a cert.
    Anyway, security is a process, so this site may get trustworthy in future ...

    > .. send by post, so it cannot be incorporated in a link.
    .. but in a HTML-mail (which is not much different to a link;-)
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    The Complete Ruby on Rails Developer Course

    Ruby on Rails is one of the most popular web development frameworks, and a useful tool used by both startups and more established companies to build strong graphic user interfaces, and responsive websites and apps.

    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now