Re: Re: Low priced certificate?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Boyle Owen wrote:
...



It's worth remembering what a certificate is for; it is a document,
undersigned by a third-party, that confirms that you are who you say you
are. The third-party certificate signing authority is putting their
reputation on the line and has a moral (even a legal) obligation to be
certain you are bona fide.

A certificate is not some random obstacle that makes SSL websites pesky
to set up - it is an essential security feature that protects web-users
from fraud. So, of course it should cost you (as e-commerce operator)
money and effort.

Trying to get a cheap cert for your site is like a bus company getting
cheap tyres for their buses...
While not contradicting the essence of the above, I would like to know something for my own edification, if some expert could comment.
We are a services company, and provide websites to select customers, for their own usage. We know these customers, they know us, and there are not thousands of them (merely hundreds). We store information in these websites for those customers. Sometimes this information is relatively private, for the customer. (It is not however of the "top secret - defense" variety, nor banking etc...)
We would like to offer to our customers, the possibility of connecting to their websites using HTTPS instead of HTTP. This is merely so that it would be harder for "foreign" people to easily intercept the data being exchanged between the webserver and the browsers of our customers.
It is my understanding that we could set up our own "certificate authority" (CA) and create our own server certificates. A customer browser, upon the first connection, would pop up some message indicating that it cannot verify this certificate, and offering maybe to "authorise" our own CA as a valid one. Once they did this, the popup would not happen again, and their communications with the website would be encrypted (which is the main point of the exercise).
I understand that, in case their DNS system is compromised, they could land onto another website pretending to be ours, and thus accept this other website certificate and CA. But I consider this possibility as relatively unlikely, and easily detected by the customers themselves once they proceed. (*) 

Is anything wrong with the above thinking ?

Thanks for comments.
(*) because each customer application is specific, and in order to fool a customer, the miscreant would haver to duplicate this application, the data etc.. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux