cookiemonster4470 Posted October 22, 2007 Share Posted October 22, 2007 (Not sure where to post this.) Is it dangerous to give out the password for your dedicated SSL certificate? Below is what an ISP I'm considering using has to say.. Q. I'm going to purchase my own ssl what do I need to know? A. Our servers are Apache + Mod SSL If you require assistance from us to install it there will be a $25.00 installation fee. We will need both the key and the csr. You will also need a dedicated ip before contacting us which can be purchased here. www.hostgator.com/ip.php Amy Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/ Share on other sites More sharing options...
dbo Posted October 22, 2007 Share Posted October 22, 2007 I don't really see anything wrong with it. If you're concerned just install it yourself. Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-375843 Share on other sites More sharing options...
cookiemonster4470 Posted October 23, 2007 Author Share Posted October 23, 2007 Well, I would give a customer service representative from the credit card company my Pin # for my credit card, so why give an ISP your password for your SSL certificate? Passwords presumably exist to keep secrets... What purpose does the password serve on an SSL certifcate? Amy Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-375853 Share on other sites More sharing options...
dbo Posted October 23, 2007 Share Posted October 23, 2007 It doesn't serve much purpose at all. If they are generating the certificate for you... they have access to the actual key anyways... as would anyone would installs it for you. I say again, if you're concerned just install it yourself. Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-375856 Share on other sites More sharing options...
cookiemonster4470 Posted October 23, 2007 Author Share Posted October 23, 2007 > Well, I would give a customer service representative from the credit card company my Pin # for my credit card, so why give an > ISP your password for your SSL certificate? That should have said... "Well, I would NOT give a customer service representative from the credit card company my Pin # for my credit card, so why give an ISP your password for your SSL certificate?" I was going to get a Verisign certificate but maybe use HostGator for the ISP. So, no, it wouldn't be the same people. I don't think they'd let me do that myself, and I would know how anyways. Again, what purpose does a password serve on an SSL certifcate? (My fear is the certificate could somehow be changed so that it would no longer authenticate me and work properly. Kinda like someone re-wiring your pacemaker!!) Amy Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-375884 Share on other sites More sharing options...
derwert Posted October 23, 2007 Share Posted October 23, 2007 I don't see the point in this question. If you want them to install it for you, you have to go by their rules otherwise they won't do it for you. So either: A) Follow their rules and let them do it. B) Do it yourself. C) Find someone else to do it. When they are installing the certificate they are getting access to the private key anyway, so if you want to be paranoid then what you should be worrying about is the private key and not the password. They can't regenerate your certificate and have it signed by the companies that signed it in the first place so I don't see the issue here.. Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-375917 Share on other sites More sharing options...
cookiemonster4470 Posted October 23, 2007 Author Share Posted October 23, 2007 > I don't see the point in this question. > so I don't see the issue here.. It is an issue because I clearly stated that I don't understand how SSL certificates work and what the password is for, and whether letting someone have access to the password should concern me. (If I knew the answer to something then I wouldn't be posting a question here, now would I?!) AT&T has a policy of asking for people's FULL Social Security Numbers just to submit a resume to a job listing. I sure as f*** wouldn't give them that information as I know it is dangerous and irrelevant to applying for a job. By contrast, I am still learning about SSL certificates, and I never take requests for sensitive information at face value, so that's why I'm asking on here, because it may not be a security risk, or like the previous example, it could be a BIG security risk! Amy Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376264 Share on other sites More sharing options...
PHP_PhREEEk Posted October 23, 2007 Share Posted October 23, 2007 If this is a Cpanel host, it is extremely simple to do it yourself. The password is not sensitive. You can give them what they need without any loss of sleep. The SSL Cert is TIED to your fully qualified domain name, so it's useless to anyone but you. PhREEEk Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376301 Share on other sites More sharing options...
cookiemonster4470 Posted October 23, 2007 Author Share Posted October 23, 2007 And I don't have to worry about them being able to modify it and somehow "spy" on encrypted communications using the SSL certificate? One fear I have is that the certificate could somehow be "tapped" like a phone or a phishing scheme so that they could have access to things that use/pass through the certificate like credit card numbers. Is that even possible? Amy Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376330 Share on other sites More sharing options...
dbo Posted October 23, 2007 Share Posted October 23, 2007 I don't think its possible, but also consider... if you're trusting them to host your website how can you not trust them with this? They could have complete access to your database and all of your code if they wanted. Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376333 Share on other sites More sharing options...
PHP_PhREEEk Posted October 23, 2007 Share Posted October 23, 2007 It seems there is some major misunderstanding on what exactly a SSL Cert is... First off, nothing 'passes through' the cert. The cert identifies your website as registered and valid through the certificate issuer, and that's about it. The 'level' of the certificate you purchase determines the level of warranty provided by the issuer. The actual data passes through a secure session on the server-side (HTTPS). The cert warrants that you are in fact transferring your data through a secure session on a server website that belongs to who you think it belongs to. One of the things it does is allows you to feel safe that you weren't redirected somewhere you didn't intend to do business. So, let's say you go to htt p://www.commerce-site.com. You add a few things to your cart, then upon checkout you are redirected to htt ps://www.commerce-site.com/checkout. Once on that page, you can view the certificate and verify that you are INDEED connected to commerce-site dotcom, and the connection is secured/encrypted. So, in essence, the site's cert is only a verification of information, nothing much else. Someone 'hijacking' your cert would not be able to use it, and if they somehow fooled somebody into doing business under the guise of your cert, you certainly would have no liability whatsoever. You can give your host the information they requested. It's all good... no harm can come to you in doing so. PhREEEk Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376396 Share on other sites More sharing options...
cookiemonster4470 Posted October 23, 2007 Author Share Posted October 23, 2007 dbo wrote: > I don't think its possible, but also consider... if you're trusting them to host your website how can you not trust them with this? They > could have complete access to your database and all of your code if they wanted. Very good point!! <<insert Homer Simpson "D'oh!">> I'm just doing my due diligence on this topic, but your advice may be even better. (I just get so annoyed at how UN-safe so many major American corporations are with your information.) Thanks, Amy Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376402 Share on other sites More sharing options...
cookiemonster4470 Posted October 23, 2007 Author Share Posted October 23, 2007 It seems there is some major misunderstanding on what exactly a SSL Cert is... First off, nothing 'passes through' the cert. The cert identifies your website as registered and valid through the certificate issuer, and that's about it. The 'level' of the certificate you purchase determines the level of warranty provided by the issuer. The actual data passes through a secure session on the server-side (HTTPS). The cert warrants that you are in fact transferring your data through a secure session on a server website that belongs to who you think it belongs to. One of the things it does is allows you to feel safe that you weren't redirected somewhere you didn't intend to do business. So, let's say you go to htt p://www.commerce-site.com. You add a few things to your cart, then upon checkout you are redirected to htt ps://www.commerce-site.com/checkout. Once on that page, you can view the certificate and verify that you are INDEED connected to commerce-site dotcom, and the connection is secured/encrypted. So, in essence, the site's cert is only a verification of information, nothing much else. Someone 'hijacking' your cert would not be able to use it, and if they somehow fooled somebody into doing business under the guise of your cert, you certainly would have no liability whatsoever. You can give your host the information they requested. It's all good... no harm can come to you in doing so. PhREEEk Sorry. Pardon my ignorance on SSL certificates. Yes, your explanation helps quite a bit. I guess I was under the impression from some things that I read online, that the SSL certificate was part of the HTTPS connection, and that if it was hacked, that someone could gain access to the data being sent or redirect the data somewhere else. I thought it was analogous to a phone line where it not only promised to be a line to 1-800-FLOWERS, but also a guarantee that you were actually talking to 1-800-FLOWERS. Apparently it is more like a "seal of approval" or "Member of the Better Business Bureau", right? So, since I think (?) that I better understand what the SSL certificate does, then why should a person pay $300 for a Verisign SSL certificate versus $75 for a Comodo SSL certificate?? :-\ Amy Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376408 Share on other sites More sharing options...
PHP_PhREEEk Posted October 23, 2007 Share Posted October 23, 2007 LOL... yep, you got it now... Get the Comodo cert. The differences is just the amount of warranty provided, and unless you're a huge corporation doing a few mil a year, the Comodo cert is totally adequate. I run servers and have done server-side administration for over 5 years. If you need any help with anything, feel free to ask! PhREEEk Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376476 Share on other sites More sharing options...
cookiemonster4470 Posted October 23, 2007 Author Share Posted October 23, 2007 Thanks for the explaination, PHP_PhREEEk. Okay, so you say "Get the Comodo cert. The differences is just the amount of warranty provided, and unless you're a huge corporation doing a few mil a year, the Comodo cert is totally adequate." But I've heard some people say that "name matters" and that customers may not trust a site that doesn't use Verisign. Do you think that is true, or is it just fluff? (Personally, I HATE Verisign after they screwed me over on a domain name issue about 7 years ago. But it does seem like they are THE source for SSL certificates.) What do you think is a balanced approach? Amy Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376542 Share on other sites More sharing options...
PHP_PhREEEk Posted October 23, 2007 Share Posted October 23, 2007 Of course industry professionals know that the 'name game' is just fluff, but we can't predict what the larger public opinion would be. Logically, there is no difference. To get a Cert, you normally need to fill out information and FAX it or snail mail it in, and then your cert is issued. Maybe the public thinks that Verisign goes through a more rigorous process? You never know what people think... I have, of course in my time of administration, set up many a cart system. I have never once had a client tell me that a customer refused to complete a transaction due to a cert being from one company versus another. Never. Ever. Ask yourself, how many things have you purchased across the internet? Out of all of those things, how many times have you actually looked at a cert during checkout? You usually don't, and here's why... if the cert is valid, matches the site you are doing business with, and isn't expired, no error is thrown by the browser. If anything doesn't look right about the cert, or if one isn't present at all, your browser will warn you. So, if there's no warning, we usually just continue the checkout. So out of all the things you have purchased, how many had a Verisign cert versus another cert of some sort? You probably don't know those numbers... I know I don't... and I believe a vast majority wouldn't know. I don't even know what cert my bank has!! lol... I may need to check now! heh You get the point... Verisign is only THE source because they ADVERTISE themselves as THE source. Truth is, any verified cert is good enough. As long as a warning by the browser isn't thrown in the customer's face, they 99% of the time wouldn't even view the cert. POPUP: Warning! This site's Certificate was NOT issued by Verisign! Are you SURE you want to continue? <y/n> (We recommend you leave this site immediately!) heheh Verisign would LOVE that one! PhREEEk Quote Link to comment https://forums.phpfreaks.com/topic/74382-ssl-certificate-security/#findComment-376608 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.