[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

*** BEST SSL CERTIFICATE?

Posted on 2004-10-21
18
Medium Priority
?
3,613 Views
Last Modified: 2012-06-27
I would like to know which is best.

I would also like to know if there are any free ones.


Godaddy's one offers a free dedicated IP - how's this work?
0
Comment
Question by:Serotonin_X_Infinite
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
  • +2
18 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12378086
>  I would like to know which is best.
there is no difference.
Or what in particular do you mean with "best"?

> I would also like to know if there are any free ones.
any cert you make yourself is free, somehow. Just install you own CA and make your own self-signed cert (for example using openssh). But keep in mind that you need people to trust *your* cert ;-)
0
 
LVL 1

Author Comment

by:Serotonin_X_Infinite
ID: 12378161
how do I make it trusted by default like the paid for ones?
0
 
LVL 13

Expert Comment

by:hstiles
ID: 12379180
The point of a certificate being trusted is that it has been issued by a trusted certificate authority.  So the point of a trusted certificate is completely negated if you have a certificate that you have created yourself.  Such certificates are fine for internal use to secure resources, etc... but if you are publishing a commercial site, users would be quite justified in questioning the authenticity of your site if it using a certificate that you have issued yourself.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 8

Expert Comment

by:RLGSC
ID: 12380113
Serotonin,

There is no "Best". It is a question of which Certification Authority is trusted. All of the major firms in this sector (e.g., Verisign, Thawte, GoDaddy, and some others) have name recognition. The important question is "Who is trusted by your customers?"

Self-signed certificates represent another class of problem entirely. Certifying that "you are yourself" is not generally useful, except for testing. Internally, within your organization, it is possible to have an internal Certification Authority, whose authenticity should be tied back to a master company certificate issues by an external Certification Authority.

The reason that I say "tied to a master company certificate issued by a major certification authority" is simple. Web browsers and other certificate-aware packages generally install knowing the identify of major certification authorities. Using this knowledge to your advantage save large amounts of effort. Otherwise, you would have to install your company's root certificate in each and every system in the organization, a large initial project, and a large ongoing maintenance effort. The minimal amount required to get a master certificate from an external certification authority is inexpensive by comparison.

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12380304
>  how do I make it trusted by default like the paid for ones?
buy a "trusted" cert to sign your own ;-)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12380323
Or ask yourself: would you trust someone showing you his/her selfmade passport, insisting on to tell you that everithing you see is the truth?
0
 
LVL 9

Accepted Solution

by:
_GeG_ earned 2000 total points
ID: 12384631
you can get it for free: http://www.cacert.org/
this is kind of an open source aproach to certification. And it explains everything you need on the site. It is free, so you don't have to pay, but you have to identify yourself to be trusted.
0
 
LVL 1

Author Comment

by:Serotonin_X_Infinite
ID: 12386532
Thankyou
0
 
LVL 8

Expert Comment

by:RLGSC
ID: 12387522
Serotonin,

A suffix on the posting by GeG:

A visit to the CACERT.ORG www site is quite interesting. Attempting to register on the site takes you to an SSL-protected page that requests a variety of information (e.g., name, date of birth) which is generally referred to as "Personally Identifying Information".

The root certificate for www.cacert.org is a SELF-SIGNED CERTIFICATE.  On first glance, there is no assurance that they are who they claim to be except, of course, for their word.  

There are two issues here.

1 - In what I will admit is a casual examination of the cacert.org www site, I do not see any names of individuals or organizations behind this effort. I find this somewhat surprisiing.
2 - The CACERT.ORG certificate DOES NOT accomplish the goal you mentioned earlier, that of allowing secure communications to machines in your organization WITHOUT the need to manually install the certificates. In fact, attempting to access the signon page for CACERT.ORG requires me to accept their self-signed certificate as proof of authenticity. This is not a good practice.

While I am neutral on the question as to the good intentions of those involved in CACERT.ORG, I can say that if I were interested in perpetrating an identity theft, getting people to give me their personal identifying information would be an IDEAL first step.

The purpose behind getting a certificate is not to just "get a certificate", it is to establish one's identity and authenticity. In this matter, details count. Identity verification that is vouched for by someone whose own credentials are not tied to anything is not verification; it is the same as declaring your dwelling a sovereign nation and issuing your own identity documents. They may be visually appealing, but they will not get you a driver's license or be accepted as a valid passport.

I hope that the above is helpful.

- Bob (aka RLGSC)
0
 
LVL 8

Expert Comment

by:RLGSC
ID: 12387545
Serotonin,

I inadvertantly ommitted one item from my post just now.

There are numerous published descriptions of how trust hierarchies work. I also believe that you will find a full description of certificates in the "Computer Security Handbook, 4th Edition" (Bosworth and Kabay, 2002).

- Bob (aka RLGSC)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12387568
RLGSC: full ACK

BTW, go to that site, click on "lost password", wait for page then change from https to http
key in following as email adress and submit:
   doesntmatter"><div style="position:absolute;top:0px;"><iframe src=www.ard.de frame_border=0>

It's all for free, as they state (and totally unsecure they forgot to tell you)
ROFLOL

0
 
LVL 9

Expert Comment

by:_GeG_
ID: 12387620
@ahoffman
this is not a security hole. I agree it is not very professional to output unchecked user input on the site, but it has no securtiy issues at this point.

@Bob

I don't think that you understood the sense of cacert. A few quotes from cacert.org, and then my opinion ;)

[quote]CAcert.org was designed to be by the community for the community, and instead of placing all the labour on a central authority and in turn increasing the cost of certificates, the idea was to get community in conjunction with this website to have trust maintained in a dispersed and automated manner![/quote]

Umph, since they changed to their new website, there is no info anymore. Maybe I should stop recommending them. How it should work:
They try to create a web of trust. They try to have users that can check the identity of other users. Once you are checked by 2 users personnally and with id, you can check also. You can see this when logged in (stupid to hide information, I sent them an email):

[quote]The Web of Trust system CAcert uses is similar to that many involved with GPG/PGP use, they hold face to face meetings to verify each others photo identities match their GPG/PGP key information. CAcert differs however in that we have modified things to work within the PKI framework, for you to gain trust in the system you must first locate someone already trusted. The trust person depending how many people they've trusted or meet before will determine how many points they can issue to you (the number of points they can issue is listed in the locate notary section). Once you've met up you can show your ID and you will need to fill out a CAP form which the person notarising your details must retain for verification reasons. You can also get trust points via the Trust Third Party system where you go to a lawyer, bank manager, accountant, or public notary/juctise of the peace and they via your ID and fill in the TTP form to state they have viewed your ID documents and it appears authentic and true. More information on the TTP system can be found in the TTP sub-menu.[/quote]

[quote from Bob]1 - In what I will admit is a casual examination of the cacert.org www site, I do not see any names of individuals or organizations behind this effort. I find this somewhat surprisiing.[/quote]

I agree. But about the mail address with a PO Box, thawte's contact:
thawte Consulting (Pty) Ltd
PO Box 2749
Durbanville, 7551
;)

[quote from Bob]The CACERT.ORG certificate DOES NOT accomplish the goal you mentioned earlier, that of allowing secure communications to machines in your organization WITHOUT the need to manually install the certificates. In fact, attempting to access the signon page for CACERT.ORG requires me to accept their self-signed certificate as proof of authenticity. This is not a good practice.[/quote]

Yes and no. Generally it is not a good idea to install self signed certificates. But cacert wants to be a root certifier. And to get the root certificate installed in the ie, you will probably have to pay a lot. Which is not possibe for an os movement. So the initial goal was to get many users to install the certificate themselves, so that in the end it would be installed everywhere. But with this website they will not achieve that goal :(

Ok, now to better explain why I think it is a good idea, and why I think the old website was better, have a look yourself:
http://web.archive.org/web/20040203073903/http://www.cacert.org/
0
 
LVL 1

Author Comment

by:Serotonin_X_Infinite
ID: 12387675
Do you know how much money and where to go to get a self signed certificate integrated into mainstream?
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 12387692
I use http://geotrust.com/, which has a good value.
0
 
LVL 8

Expert Comment

by:RLGSC
ID: 12388286
Geg,

I will not deny that the PGP "web of trust" idea has some interest. The problem is when those who understand the strengths and limits of such a system encounter the less knowledgeable. In the end, the role of a certification authority is to stand behind their credentials, not just act as a clearing house for other people's opinions. That is why we have notaries, signature guarantees, and other authenticity systems in the real world.

The cost of an SSL certificate is less than US$ 30.00/year (the current price from an affiliate of GoDaddy.com, a major registrar).

This is not the place for a full discussion of X.509, but you DO NOT need your root certificate installed with the browser to
issue your own certificates. There is a difference between a root certificate (head of a tree of trust, generally pre-installed with the browser), and a master certificate (used to sign other certificates; it in its turn, is the starting point in a chain of trust which goes up the trust tree until it encounters a root certificate).

As to the process used by CACERT.ORG, the information collected by CACERT.ORG can be used for identity theft. In particular, date of birth is one of the most common points of such scams. While I have not signed up with them, the "Contact Us" information is limited to a PO Box in Australia (your reference to Thawte is undeserved, they are a subsidiary of Verisign, which can be seen very clearly from their www site and from documents filed with the annual reports and required filings with securities regulators).

If a business cannot justify US$30/year for an SSL certificate (less than the cost of a single telephone line for one month), there is a different problem.

- Bob (aka RLGSC)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12388567
> ..  but it has no securtiy issues at this point.
well, if I find a SSL-secured login which can be used without SSL, If that is not security, what is security then?
If i can overlay thecomplete page with such a simle string, I get enything in context of that site, and the cert
given before ('cause I use SSL) makes me believ that I'm there.
Such loosy programmed interfaces are phishers best friend. The user has no idea what's going on, the cert
seems to proof that the content is correct (I'm not discussing this spoofing problem here, but  people
tell you that https "proofs the content is provven", which is not true). The conntent is correct, but not belonging to the cert.

Should I trust such a site?
If they don't know how to secure themselfs, why should I believe that their cert is secure?
This site also shows me, that the "makers" don't know how to take care about web security, there are logical
and smantical errors, and the site is vulnerable for spoofing. If these people have the same knowledge about
certs, I'd better spend a few bugs. Much better that having trouble with a free one.

OK, just IMHO, make your own decission, please.
This is a security TA, and the link is a good example for what is unsecure, at least unreliable ;-)
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 12392078
@ahoffman
>Such loosy programmed interfaces are phishers best friend. The user has no idea what's going on, the cert
seems to proof that the content is correct (I'm not discussing this spoofing problem here, but  people
tell you that https "proofs the content is provven", which is not true). The conntent is correct, but not belonging to the cert.

No, afaik you cannot use it for phishing, because you cannot send somebody a link to the overlayed site. The form information is send by post, so it cannot be incorporated in a link.
And it is rather unlikely that somebody follows an email like this:
hi,
open cacert login,
enter "doesntmatter"><div style="position:absolute;top:0px;"><iframe src=www.ard.de frame_border=0>" as login,
and now enter the real login
:D

Again I agree that this should not happen, but since I like the idea behind cacert so much, I don't want to damn them just because of an irrelevant mistake.

@Bob
>This is not the place for a full discussion...
afaik cacert is supposed to work like this:
cacert has a root certificate (would also work with a master certificate, but this is not affordable for an os movement)
and they have individuals who's identity is established, who each of them get a master certificate. Now if you want a master certificate of your own, you go to 2 of these individuals, show them 2 photo ids, and they verify you. Now you get a master certificate and can verify others.
And also you can issue certificates for yourself and others.
It starts with a few people in whom you must trust. But from this point on, you can always check, who issued a certificate to whom, and if something goes wrong, you can always hold liable the one who misused his/her certificate.
Of course this is an overkill if you need just one server certificate. But if you have more than one server, and a few office emails that you want to encrypt, then it suddenly makes sense.

>As to the process used by CACERT.ORG, the information collected by CACERT.ORG can be used for identity theft. In particular, date of birth is one of the most common points of such scams...
hm, and if you give the same info to verisign, it cannot be used for identity theft?

>While I have not signed up with them, the "Contact Us" information is limited to a PO Box in Australia (your reference to Thawte is undeserved, they are a subsidiary of Verisign...
ok, contact for verisign:
VeriSign Worldwide Headquarters
487 East Middlefield Road
Mountain View, CA 94043

I live in Austria, Europe. For me they are as unreachable as a PO box in Australia. (if they are there, have you checked or do you just believe their web site?)
Why do you believe in Verisign, but not in cacert? Probably because there is a (monetary) web of trust between microsoft and verisign. As soon as they have the root certificate in the internet explorer, everybody trusts them. And should it ever be misused, it is a national emergency, and you are not alone. I mean verisign is not controlled by a the UN or some worlwide supervision organisation. They are just a company, who could decide that they would earn more money by selling their user data. I think that your trust is based on a status quo rather than on your on decision.

I personally think that cacert is a good idea, and they deserve a chance.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12394876
hmm, I like the idea too, no problem.
But trustworthy is most important for a cert.
Anyway, security is a process, so this site may get trustworthy in future ...

> .. send by post, so it cannot be incorporated in a link.
.. but in a HTML-mail (which is not much different to a link;-)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question