|
It sounds to me like you are hosting their sites... meaning you have virtual hosts, etc.? If I go to my bank and open a checking account... fine... it's "free". However, if I want a safe deposit box, I'll have to pay... unless... maybe if I keep X amount of money deposit accounts with the bank... Then why not just pass the cost of obtaining legitimate certs onto those customers, unless they're a big money customer... then what do you care the cost? Wouldn't that solve all of your problems? André Warnier wrote: > Boyle Owen wrote: > ... > >> >> It's worth remembering what a certificate is for; it is a document, >> undersigned by a third-party, that confirms that you are who you say you >> are. The third-party certificate signing authority is putting their >> reputation on the line and has a moral (even a legal) obligation to be >> certain you are bona fide. >> >> A certificate is not some random obstacle that makes SSL websites pesky >> to set up - it is an essential security feature that protects web-users >> from fraud. So, of course it should cost you (as e-commerce operator) >> money and effort. >> >> Trying to get a cheap cert for your site is like a bus company getting >> cheap tyres for their buses... >> > > While not contradicting the essence of the above, I would like to know > something for my own edification, if some expert could comment. > > We are a services company, and provide websites to select customers, > for their own usage. We know these customers, they know us, and there > are not thousands of them (merely hundreds). > We store information in these websites for those customers. Sometimes > this information is relatively private, for the customer. > (It is not however of the "top secret - defense" variety, nor banking > etc...) > > We would like to offer to our customers, the possibility of connecting > to their websites using HTTPS instead of HTTP. > This is merely so that it would be harder for "foreign" people to > easily intercept the data being exchanged between the webserver and > the browsers of our customers. > > It is my understanding that we could set up our own "certificate > authority" (CA) and create our own server certificates. A customer > browser, upon the first connection, would pop up some message > indicating that it cannot verify this certificate, and offering maybe > to "authorise" our own CA as a valid one. Once they did this, the > popup would not happen again, and their communications with the > website would be encrypted (which is the main point of the exercise). > > I understand that, in case their DNS system is compromised, they could > land onto another website pretending to be ours, and thus accept this > other website certificate and CA. > But I consider this possibility as relatively unlikely, and easily > detected by the customers themselves once they proceed. (*) > > Is anything wrong with the above thinking ? > > Thanks for comments. > > > (*) because each customer application is specific, and in order to > fool a customer, the miscreant would haver to duplicate this > application, the data etc.. > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > Windows Live™ SkyDrive™: Store, access, and share your photos. See how. |
|