Zikula Community

• **unknown user**
  
  

  • Rank: Registered User
  • Registered: Mar 16, 2002
  • Last visit: Oct 21, 2009
  • Posts: 31

  Posted: Dec 15, 2004 - 07:02 AM

  I'm helping a friend out with his website while his webmaster is on maternity leave. While she's gone, the SSL certificate will run out and we're getting tons of offers for cheaper ones. We're paying $150 now through Geotrust, but it would be really heplful if we could find something cheaper without compromising customer security.
  
  I've never dealt with SSL certificates before. How do I know what makes a company good or bad? What would I look for? Do you have any recommendations for anything cheaper than what we've got now, or should we just stick with Geotrust?
  
  Thanks!

  • 
  •  
• Slugger
  
  

  • Rank: Expert
  • Registered: Mar 11, 2003
  • Last visit: Oct 21, 2009
  • Posts: 1104

  Posted: Dec 15, 2004 - 03:22 PM

  Dunno but I know that guy in the pic played a mean strat, peddle steel and banjo.
  
  Slugger

  • 
  •  
• **unknown user**
  
  

  • Rank: Freshman
  • Registered: Mar 16, 2002
  • Last visit: Oct 21, 2009
  • Posts: 85

  Posted: Dec 16, 2004 - 03:52 AM

  In my opinion if you are conducting online transactions then your customers will probably have more confidence in a company like geo-trust which has a very professional web presence and is well established in their market. I forget where I read about it, but I know it is possible to use ssl encryption with your own certificate etc… Its free but the certificate cannot be verified so your customers wouldn’t like that if their conducting CC transactions. In general geo-trust may not be as cheap, but you also might lose sales because people are weary of some company they have never heard of. Dunno, but that’s my 2.
  
  Cheers from the new and improved Zoom. :shock:

  • 
  •  
• **unknown user**
  
  

  • Rank: Senior
  • Registered: Mar 16, 2002
  • Last visit: Oct 21, 2009
  • Posts: 2204

  Posted: Dec 16, 2004 - 01:32 PM

  I had posted a giant response to this.. but on submit my session was gone and so was my post..so.. i'm going to try again.
  
  OpenSSL allows you to create and sign your own certs, private and public keys. The digital "authority" signature is no more secure or advanced.. having your certs signed by a digital "authority" such as Thawte, VeriSign etc.. removes the warning that "your information may not be secure..blah..blah".. I remember reading some time ago, maybe a year or so that Microsoft was in cahoots with VeriSign for some project.. but it made me curious as to the "sincerity" of those warnings.
  
  ..anyway.. you can create and use public keys, which are auto installed by some browsers such as IE and can be added to "Keychains" in MacOS (like GNUpg and PGP keys).. these public keys verify the identity of user/server, so the browser does not display warnings when these keys are used.. if the keys are not installed, however, the nasty bugger of a warning will be displayed, BUT the connection is still secure.
  
  Personally, I think you've got a good thing if you can get away with it for $150 bucks.. i've heard and been told thou$ands for a single year.. I don't like being told I have to pay for something that I can do myself..so I'll go the other routes every chance I get.. but a buck fifty is not bad at all for peace of mind.

  • 
  •  
• **unknown user**
  
  

  • Rank: Freshman
  • Registered: Mar 16, 2002
  • Last visit: Oct 21, 2009
  • Posts: 85

  Posted: Dec 17, 2004 - 03:30 AM

  Invalid, thanks for the extra info. I guess it really is just a matter of dealing with customer perception.
  
  I am assuming that when you use openssl some type of warning is generated, is that correct?

  • 
  •  
• **unknown user**
  
  

  • Rank: Senior
  • Registered: Mar 16, 2002
  • Last visit: Oct 21, 2009
  • Posts: 2204

  Posted: Dec 17, 2004 - 06:09 AM

  hey Zoom.. it's actually the browsers that generate the warning.. based on what they "percieve" to be an authority.. There's no one to check whether the signature on a self-signed cert is "legitimate", but the certificate does contain the same information as one signed by an authority.. which is essentially what you're paying for.. someone to legitimize the signature.
  
  When using public keys, the browser will make the comparison, whether the key belongs to the cert.. the company can still be named in the key/cert as "xyzwidgets" (a ficticious company), but the browser doesn't make any attempt at verifying or validating the existence of "xyzwidgets", it just assumes the key belongs to the cert and that's all the validity it needs to subdue the "notice".

  • 
  •  
• Lobos
  
  

  • Rank: Expert
  • Registered: Dec 02, 2002
  • Last visit: Apr 30, 2010
  • Posts: 1474

  Posted: Dec 17, 2004 - 06:58 AM

  I also heard that if when you pay the authority, you are also paying a type of insurance. In the event that a card/transaction is compromised the issuing authority will pay the amount defrauded - I can remember seeing different tiers of plans with this, with insurance amoundts ranging from 1000's of dollars to millions - naturally the price increased with the cover. So it is true what invalid is saying about the fact that you can do it yourself, but i think it is the insurance that brings the customer piece of mind.... (This quoted from memeory from quite awhile back so I may be wrong...)
  
  --
  -Lobos
  Professional PHP Framework Services: Concept, Development and Deployment

  • 
  •  
• **unknown user**
  
  

  • Rank: Senior
  • Registered: Mar 16, 2002
  • Last visit: Oct 21, 2009
  • Posts: 2204

  Posted: Dec 18, 2004 - 06:01 PM

  found a link that gives a bit of tutorial and some insight into the conversation.. might come in handy for someone at some point.
  
  http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#ownca
  
  -IR

  • 
  •  
•  
•  

Users on-line

• mazdev

This list is based on users active over the last 60 minutes.