SSL (Secure Sockets Layer) Connections

Sully

Hey all,

Not to sure if this is the right place, but the web hosting form is closed so I thought it would be more appropriate here

I just want to clarify some confusion I have surrounding https:// connections - which I assume uses SSL. I take it that its a form of security when transmitting data across the internet, such as purchasing goods online. Most big companys get their SSL Certificates signed by a company such as VeriSign (which cost a fortune).

However, I have been informed that these certificates do not have to be signed (contradicting what Wikipedia claims) by a company such as VeriSign and can indeed by signed by the website owner or indeed anyone. Its up to the individual using the site who they trust more. Is this ture? If so, I take it that its enabled on the webserver (SSL connections) and somehow a certifcate is generated and signed by the owner?

I thought it would be best to ask around here, since im getting contradictory stories!

Cheers.

aidan_walsh

Sully wrote:

I have been informed that these certificates do not have to be signed (contradicting what Wikipedia claims) by a company such as VeriSign and can indeed by signed by the website owner or indeed anyone. Its up to the individual using the site who they trust more. Is this ture?

It is. However, self signed certificates should never be public facing.

Sully

Can you explain further, by what you mean "public facing"?

Thanks.

aidan_walsh

They should only be used internally (intranets, etc) where their validity can be guaranteed. A self signed certificate should never be used where a member of the public has to decide whether or not they trust the cert.

Sully

Say in a simple web form.. the form is filled in and is then sent to an email address. A copy of the data is not kept on the server, just the PC where the email is received.

I take it HTTPS is still required, and while its encrypted at the server - how does the receiver (the user) decrypt each form set of data?

aidan_walsh

while its encrypted at the server - how does the receiver (the user) decrypt each form set of data?

The information is decrypted automatically by the server when it receives the data, and then passed to any applications that will need it. So the email server that will forward the message will receive the text from the socket as plain text.

The encryption is there purely for the purposes of not allowing anyone doing a "man in the middle" scan who may intercept the data the ability to read it.

Sully

OK so I take it when SSL is enabled (I assume its per-page, and not per-site?) and I go to a web form using PHP - I fill in the form, click submit. The information is encrypted and the script which deals with handling the form is able to decrypt it and send it to an email address?

leaba

In simple language, SSL serves 3 main purposes.
- Making sure no one can listen in on the two communicating parties
- Authentication of one or both parties (Making sure they are who they say they are)
- Making sure no one adds in or removes bits from the conversation (you don't have to actually know what they are saying to each other to do this)

The certificates come in handy when you are trying to determine if someone is who they say they are. There are a bunch of certificate authorities (you have listed some) who's job it is to make sure people are who they say they are...and then vouch for them (By signing their certificate).

These certificate authorities are known by your browser, so when it sees a certificate signed by someone it recognises(trusts) it doesn't throw up a nasty "There is something not right with this certificate" message.

If it gets a cert that isn't signed by someone it trusts (i.e. signed by you...self signed) or its out of date, or whatever, you will get a warning message.

This message is telling the end user, this guys got a cert but there's noone vouching for him, so while your connection is secure...you could be talking to anyone.

Maybe this is okay for what you have in mind....maybe not.

aidan_walsh

Pretty much. The information is decrypted before it is passed to PHP or any other applications.

leaba

In answer to your last question, its decrypted before it ever gets to the script. The script doesn't have to worry about SSL at all.

Sully

Ah ok cheers. I enquired a while ago with VeriSign but they were very expensive. Are there cheaper alternatives, that browsers will recognise?

Also, is it per-page or per-site that SSL is enabled? Like, will it only be assigned to one location or if its enabled can it be used on all the site..

leaba

There's a few ways you can do it, and it depends on the webserver your using. If you're looking for a simple solution and don't expect a serious amount of transactional type access (short connections, from new clients...SSL is expensive in CPU terms, especially in establishing connections with new clients), the most simple thing to do would be to just make the entire site SSL enabled, and don't serve it on http at all (Just https).

leaba

Don't know about price...i'm pretty sure you can get it done for around 100 bucks, if you consider this expensive, you probably can make do with a self signed cert.

leaba

Google the following "price for ssl cert", and look at the second line from thawte.

Sully

leaba wrote:

There's a few ways you can do it, and it depends on the webserver your using. If you're looking for a simple solution and don't expect a serious amount of transactional type access (short connections, from new clients...SSL is expensive in CPU terms, especially in establishing connections with new clients), the most simple thing to do would be to just make the entire site SSL enabled, and don't serve it on http at all (Just https).

At the moment, I dont have any access to the server (apart from FTP) and just ask the host to do what I want him to do. Its a site that was developed for my parents Guest House years back and I was given control of it recently as they were charging to much to maintain it. Iv improved areas vastly, and want to address the issue of un-secure data being sent from a booking form. All it is, is new clients coming on filling in the form with credit card details and submitting it.

Enabling a whole site to be https... never seen that done in many places. Wouldnt that consume more CPU?

leaba

If your not doing it yourself, just tell the host that you want that the form submission page SSL enabled and let them look after it.

McSandwich

Hosting365 do them for €99 installed, see http://www.ssl365.com/

They also have a 30 day free trial, might be useful..

Sully

I have done, but im learning all about this as im in the process of setting up an IT Solutions company and part of our company will do web hosting & development.

I have a good understanding of it now, and will probably remain in touch with the host - which I hope knows what its doing.

leaba

sully wrote:

will probably remain in touch with the host - which I hope knows what its doing

sully wrote:

im in the process of setting up an IT Solutions company and part of our company will do web hosting & development.

Sully

leaba wrote:

<quote>will probably remain in touch with the host - which I hope knows what its doing</quote>

<quote>im in the process of setting up an IT Solutions company and part of our company will do web hosting & development.</quote>

Not to sure what your getting at. Im not invovled in the webhosting side of things, and we dont plan to host business straight away anyway. But, I still like to know about whats going on etc.

mickoneill30

An alternative to self signed would be these guys.

http://cert.startcom.org/

They do free SSL certs. I've checked my Firefox settings and they're listed as an SSL authority. This means if a user connects with Firefox the cert will be accepted without any prompting.
They're not listed in IE as an authority though so customers connecting using IE will get prompted to accept the certificate or not.
So it's not a great option for users facing to customers but handy enough for smaller sites where the admin will know the majority of people connecting to his / her site.

leaba

Just joking!

mneylon

You can get an SSL for under 99 euro from a lot of hosting companies that will be "trusted" by most browsers

The only thing is that if you are using email then that won't be encrypted (unless you want to confuse your parents with encrypted email, which I'd recommend you didn't) as SMTP uses plain text.

azzeretti

aidan_walsh wrote:

It is. However, self signed certificates should never be public facing.

Not sure I entirely agree with this. Encryption is encryption. If I generated a cert from a local CA it will still be encrypted to whatever standard I assign. The problem with this is getting local machines to reconise the Root Authority and trust it. You won't want public websites with unknown Roots, but there isn't a problem with public facing sites as longs as clients/users trust you as the an Authority.

But this is probably just confusing things!

Sully

Thanks BlackNight. As for emails - I wont be even considering going down that route. We dont normaly send Credit Card details that way, but we do sometimes receive them that way - which is out of our hands.

I just want to secure the site, so people can feel somewat happy using it - it makes life easier on us, as people send their CC details either split up into several emails or hidden within letters (like AB0CEDA4L9... etc). Also, calling it over the phone can sometimes (rarley) be taken down wrong by the person taking the reservation or a fax gets misplaced or the print fades.

Cheers anyway, still waiting for the host to reply.

mneylon

If your main concern is securing the site then get an SSL cert which is signed by a major CA such as Comodo, Verisign, Thawte or Geotrust (there are HUGE differences in price, but very little in functionality / usability).

I'd recommend securing any area of the site where personal data is collected, as it will give people a greater sense of security PLUS you can get one of those nice little site seals telling the world how secure you are

Sully

I checked today to see if it was done and entered the new address manualy, and it seems to have been setup yesterday. Can someone confirm this is actualy set up ok; https://www.cliffhouse.ie/booking.html

I updated navigation accordingly.

Also, on search for SSL I found an Irish host (whos a member on Boards) which offers very cheap SSL certs for 128 and 256bit encryption. I assumed the certificate had nothing to do with encryption, and thats set by the host and not the issuer of the SSL Cert?

mneylon

It looks like the cert was issued for cliffhouse.ie and NOT www.cliffhouse.ie, so it's giving errors

Sully

I noticed that, so I take it I ask them to fix the cert so its for www.cliffhouse.ie? I assumed it wasnt a big issue, as its the same domain.

TimTim

GoDaddy do SSL certs for as low as $19.99 a year

I got one for a domain last night and it seems to cover www.me.com and me.com

Sully

Where abouts have you used it on your site, just so I can see it in action?

Fair play to GoDaddy.