Jump to content

SSL certificate security

cookiemonster4470

By cookiemonster4470
in PHP Coding Help

 Share

Recommended Posts

cookiemonster4470 Newbie

cookiemonster4470

Posted
Posted

(Not sure where to post this.)

 

Is it dangerous to give out the password for your dedicated SSL certificate?

Below is what an ISP I'm considering using has to say..

 

Q. I'm going to purchase my own ssl what do I need to know?

A. Our servers are Apache + Mod SSL If you require assistance from us to install it there will be a $25.00 installation fee. We will need both the key and the csr. You will also need a dedicated ip before contacting us which can be purchased here. www.hostgator.com/ip.php

 

Amy

 

 

Link to comment
Share on other sites
dbo Member

dbo

Posted
Posted

It doesn't serve much purpose at all. If they are generating the certificate for you... they have access to the actual key anyways... as would anyone would installs it for you. I say again, if you're concerned just install it yourself.

Link to comment
Share on other sites
cookiemonster4470 Newbie

cookiemonster4470

Posted
  • Author
Posted

> Well, I would give a customer service representative from the credit card company my Pin # for my credit card, so why give an

> ISP your password for your SSL certificate?

 

That should have said... "Well, I would NOT give a customer service representative from the credit card company my Pin # for my credit card, so why give an ISP your password for your SSL certificate?"

 

I was going to get a Verisign certificate but maybe use HostGator for the ISP.  So, no, it wouldn't be the same people.

 

I don't think they'd let me do that myself, and I would know how anyways.

 

Again, what purpose does a password serve on an SSL certifcate?

 

(My fear is the certificate could somehow be changed so that it would no longer authenticate me and work properly.  Kinda like someone re-wiring your pacemaker!!)  ;D 

 

 

Amy

 

Link to comment
Share on other sites
derwert Newbie

derwert

Posted
Posted

I don't see the point in this question. If you want them to install it for you, you have to go by their rules otherwise they won't do it for you.

 

So either:

 

A) Follow their rules and let them do it.

B) Do it yourself.

C) Find someone else to do it.

 

When they are installing the certificate they are getting access to the private key anyway, so if you want to be paranoid then what you should be worrying about is the private key and not the password.

 

They can't regenerate your certificate and have it signed by the companies that signed it in the first place so I don't see the issue here..

 

 

Link to comment
Share on other sites
cookiemonster4470 Newbie

cookiemonster4470

Posted
  • Author
Posted

> I don't see the point in this question.

> so I don't see the issue here..

 

It is an issue because I clearly stated that I don't understand how SSL certificates work and what the password is for, and whether letting someone have access to the password should concern me.

 

(If I knew the answer to something then I wouldn't be posting a question here, now would I?!)

 

AT&T has a policy of asking for people's FULL Social Security Numbers just to submit a resume to a job listing.  I sure as f*** wouldn't give them that information as I know it is dangerous and irrelevant to applying for a job.  By contrast, I am still learning about SSL certificates, and I never take requests for sensitive information at face value, so that's why I'm asking on here, because it may not be a security risk, or like the previous example, it could be a BIG security risk!

 

 

Amy

 

 

 

Link to comment
Share on other sites
cookiemonster4470 Newbie

cookiemonster4470

Posted
  • Author
Posted

And I don't have to worry about them being able to modify it and somehow "spy" on encrypted communications using the SSL certificate?

 

One fear I have is that the certificate could somehow be "tapped" like a phone or a phishing scheme so that they could have access to things that use/pass through the certificate like credit card numbers.

 

Is that even possible?

 

 

Amy

 

Link to comment
Share on other sites
PHP_PhREEEk Newbie

PHP_PhREEEk

Posted
Posted

It seems there is some major misunderstanding on what exactly a SSL Cert is...

 

First off, nothing 'passes through' the cert. The cert identifies your website as registered and valid through the certificate issuer, and that's about it. The 'level' of the certificate you purchase determines the level of warranty provided by the issuer. The actual data passes through a secure session on the server-side (HTTPS). The cert warrants that you are in fact transferring your data through a secure session on a server website that belongs to who you think it belongs to. One of the things it does is allows you to feel safe that you weren't redirected somewhere you didn't intend to do business.

 

So, let's say you go to htt p://www.commerce-site.com. You add a few things to your cart, then upon checkout you are redirected to htt ps://www.commerce-site.com/checkout. Once on that page, you can view the certificate and verify that you are INDEED connected to commerce-site dotcom, and the connection is secured/encrypted.

 

So, in essence, the site's cert is only a verification of information, nothing much else. Someone 'hijacking' your cert would not be able to use it, and if they somehow fooled somebody into doing business under the guise of your cert, you certainly would have no liability whatsoever.

 

You can give your host the information they requested. It's all good... no harm can come to you in doing so.

 

PhREEEk

Link to comment
Share on other sites
cookiemonster4470 Newbie

cookiemonster4470

Posted
  • Author
Posted

dbo wrote:

 

> I don't think its possible, but also consider... if you're trusting them to host your website how can you not trust them with this? They

> could have complete access to your database and all of your code if they wanted.

 

Very good point!!  <<insert Homer Simpson "D'oh!">>  ;D

 

I'm just doing my due diligence on this topic, but your advice may be even better.

 

(I just get so annoyed at how UN-safe so many major American corporations are with your information.)

 

Thanks,

 

 

Amy

 

Link to comment
Share on other sites
cookiemonster4470 Newbie

cookiemonster4470

Posted
  • Author
Posted

It seems there is some major misunderstanding on what exactly a SSL Cert is...

 

First off, nothing 'passes through' the cert. The cert identifies your website as registered and valid through the certificate issuer, and that's about it. The 'level' of the certificate you purchase determines the level of warranty provided by the issuer. The actual data passes through a secure session on the server-side (HTTPS). The cert warrants that you are in fact transferring your data through a secure session on a server website that belongs to who you think it belongs to. One of the things it does is allows you to feel safe that you weren't redirected somewhere you didn't intend to do business.

 

So, let's say you go to htt p://www.commerce-site.com. You add a few things to your cart, then upon checkout you are redirected to htt ps://www.commerce-site.com/checkout. Once on that page, you can view the certificate and verify that you are INDEED connected to commerce-site dotcom, and the connection is secured/encrypted.

 

So, in essence, the site's cert is only a verification of information, nothing much else. Someone 'hijacking' your cert would not be able to use it, and if they somehow fooled somebody into doing business under the guise of your cert, you certainly would have no liability whatsoever.

 

You can give your host the information they requested. It's all good... no harm can come to you in doing so.

 

PhREEEk

 

Sorry.  Pardon my ignorance on SSL certificates.  Yes, your explanation helps quite a bit.

 

I guess I was under the impression from some things that I read online, that the SSL certificate was part of the HTTPS connection, and that if it was hacked, that someone could gain access to the data being sent or redirect the data somewhere else.

 

I thought it was analogous to a phone line where it not only promised to be a line to 1-800-FLOWERS, but also a guarantee that you were actually talking to 1-800-FLOWERS.

 

Apparently it is more like a "seal of approval" or "Member of the Better Business Bureau", right?

 

So, since I think (?) that I better understand what the SSL certificate does, then why should a person pay $300 for a Verisign SSL certificate versus $75 for a Comodo SSL certificate??  :-\

 

 

Amy

 

Link to comment
Share on other sites
PHP_PhREEEk Newbie

PHP_PhREEEk

Posted
Posted

LOL... yep, you got it now...

 

Get the Comodo cert. The differences is just the amount of warranty provided, and unless you're a huge corporation doing a few mil a year, the Comodo cert is totally adequate.

 

I run servers and have done server-side administration for over 5 years. If you need any help with anything, feel free to ask!

 

PhREEEk

Link to comment
Share on other sites
cookiemonster4470 Newbie

cookiemonster4470

Posted
  • Author
Posted

Thanks for the explaination, PHP_PhREEEk.

 

Okay, so you say "Get the Comodo cert. The differences is just the amount of warranty provided, and unless you're a huge corporation doing a few mil a year, the Comodo cert is totally adequate."

 

But I've heard some people say that "name matters" and that customers may not trust a site that doesn't use Verisign.

 

Do you think that is true, or is it just fluff?  (Personally, I HATE Verisign after they screwed me over on a domain name issue about 7 years ago.  But it does seem like they are THE source for SSL certificates.)

 

What do you think is a balanced approach?

 

 

Amy

 

Link to comment
Share on other sites
PHP_PhREEEk Newbie

PHP_PhREEEk

Posted
Posted

Of course industry professionals know that the 'name game' is just fluff, but we can't predict what the larger public opinion would be. Logically, there is no difference. To get a Cert, you normally need to fill out information and FAX it or snail mail it in, and then your cert is issued. Maybe the public thinks that Verisign goes through a more rigorous process? You never know what people think...

 

I have, of course in my time of administration, set up many a cart system. I have never once had a client tell me that a customer refused to complete a transaction due to a cert being from one company versus another. Never. Ever.

 

Ask yourself, how many things have you purchased across the internet? Out of all of those things, how many times have you actually looked at a cert during checkout? You usually don't, and here's why... if the cert is valid, matches the site you are doing business with, and isn't expired, no error is thrown by the browser. If anything doesn't look right about the cert, or if one isn't present at all, your browser will warn you. So, if there's no warning, we usually just continue the checkout.

 

So out of all the things you have purchased, how many had a Verisign cert versus another cert of some sort? You probably don't know those numbers... I know I don't... and I believe a vast majority wouldn't know. I don't even know what cert my bank has!! lol... I may need to check now! heh

 

You get the point... Verisign is only THE source because they ADVERTISE themselves as THE source. Truth is, any verified cert is good enough. As long as a warning by the browser isn't thrown in the customer's face, they 99% of the time wouldn't even view the cert.

 

POPUP: Warning! This site's Certificate was NOT issued by Verisign! Are you SURE you want to continue? <y/n> (We recommend you leave this site immediately!)

 

heheh Verisign would LOVE that one!

 

PhREEEk

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.