SSL Certificates

Discussion in 'NZ Computing' started by madknoxie, Oct 27, 2003.

  1. madknoxie

    madknoxie Guest

    I'm very interested to know: where do you get/purchase your SSL
    certificates from?

    --
    madknoxie
    $35 .nz domain names: http://www.ivision.co.nz/
     
    madknoxie, Oct 27, 2003
    #1
    1. Advertising

  2. madknoxie

    Adam Warner Guest

    Hi madknoxie,

    > I'm very interested to know: where do you get/purchase your SSL
    > certificates from?


    InstantSSL/Comodo are extremely competitive. Be aware that there is
    nothing instant about the process of obtaining a genuine certificate (in
    contrast to a trial certificate): <http://www.instantssl.com/>

    Note also that "Instant SSL is inherently trusted by 99.3% of the current
    Internet population. This makes Instant SSL as equally trusted as more
    expensive Certificates from Verisign and Thawte."

    You shouldn't need the pro/premium stuff. Though I'd love a wildcard
    certificate (otherwise you'd need two certificates to "secure"
    website.co.nz and www.website.co.nz. Think carefully about which domain
    name your customers use by default).

    Regards,
    Adam
     
    Adam Warner, Oct 27, 2003
    #2
    1. Advertising

  3. madknoxie

    madknoxie Guest

    In article <>,
    Adam Warner <> wrote:

    > Hi madknoxie,
    >
    > > I'm very interested to know: where do you get/purchase your SSL
    > > certificates from?

    >
    > InstantSSL/Comodo are extremely competitive. Be aware that there is
    > nothing instant about the process of obtaining a genuine certificate (in
    > contrast to a trial certificate): <http://www.instantssl.com/>


    Yeah, I was considering Comodo until I read these:
    http://www.sslreview.com/content/baltimore_sale.html
    http://www.whichssl.org/content/comodo_spam.html


    > You shouldn't need the pro/premium stuff. Though I'd love a wildcard
    > certificate (otherwise you'd need two certificates to "secure"
    > website.co.nz and www.website.co.nz. Think carefully about which domain
    > name your customers use by default).


    Thanks, I wondered what all the talk about a Wildcard was. In my case it
    shouldn't be much of an issue because I can just provide the entire URL
    as the link to the shopping cart..

    --
    madknoxie
    $35 .nz domain names: http://www.ivision.co.nz/
     
    madknoxie, Oct 27, 2003
    #3
  4. madknoxie

    Adam Warner Guest

    Hi madknoxie,

    >> > I'm very interested to know: where do you get/purchase your SSL
    >> > certificates from?

    >>
    >> InstantSSL/Comodo are extremely competitive. Be aware that there is
    >> nothing instant about the process of obtaining a genuine certificate
    >> (in contrast to a trial certificate): <http://www.instantssl.com/>

    >
    > Yeah, I was considering Comodo until I read these:
    > http://www.sslreview.com/content/baltimore_sale.html
    > http://www.whichssl.org/content/comodo_spam.html


    Interesting, thanks! The validity of the facts surrounding the targeted
    emails could be material:
    <http://www.instantssl.com/ssl-certificate-news/ssl-230603.html>

    It certainly appears to be true that Thawte screwed up and are replacing
    certificates: <http://www.thawte.com/serial_faq.html>. If Comodo uncovered
    this and only contacted affected customers then a public interest argument
    could be made that affected customers would want to know about this (I
    certainly would, but what's the urgency if it really took 9 months of
    investigation? Not letting Thawte inform their customers first was low:
    "We will be happy to pass our findings onto Thawte so that they can take
    the necessary remedial action to their certificate generation
    procedures.")

    The earlier link is also troubling. If Comodo goes then the only other
    options remaining like Thawte are far more expensive. I didn't come across
    anyone else with the same level of browser compatibility as Thawte and
    Verisign while also being vastly cheaper.

    I don't know how worried you should be about this. If Comodo is now the
    second largest certification authority in the world they should be able to
    work something out, even if it means losing the widest level of browser
    compatibility.

    Watch out when comparing prices. A US$49 FreeSSL.com certificate will not
    have the same level of trust support in browsers (it appears to be MSIE
    5.01+ and Netscape 7 only, which may be sufficient for your purposes). If
    you find out about anyone else that can match the same level of
    compatibility as Verisign and Thawte but at a similar price to Comodo then
    let us know.

    Regards,
    Adam
     
    Adam Warner, Oct 27, 2003
    #4
  5. madknoxie

    T-Boy Guest

    In article <>,
    says...
    > I'm very interested to know: where do you get/purchase your SSL
    > certificates from?


    I got mine from my PC - W2K Pro - but then I'm not asking "other
    people" to trust it.

    --
    Duncan
     
    T-Boy, Oct 27, 2003
    #5
  6. madknoxie

    Enkidu Guest

    On Mon, 27 Oct 2003 21:14:34 +1300, T-Boy <> wrote:

    >In article <>,
    > says...
    >> I'm very interested to know: where do you get/purchase your SSL
    >> certificates from?

    >
    >I got mine from my PC - W2K Pro - but then I'm not asking "other
    >people" to trust it.
    >

    Why not? If I go to your website to purchase something, all I'm really
    worried about is that no one can steal my CC number in transit. If
    they can compromise your machine enough to steal your certificate,
    they have access to your machine anyway, and presumably my CC number.

    Cheers,

    Cliff
    --

    The complete lack of evidence is the surest sign
    that the conspiracy is working.
     
    Enkidu, Oct 27, 2003
    #6
  7. madknoxie

    Adam Warner Guest

    Hi Enkidu,

    >>I got mine from my PC - W2K Pro - but then I'm not asking "other people"
    >>to trust it.
    >>

    > Why not? If I go to your website to purchase something, all I'm really
    > worried about is that no one can steal my CC number in transit. If they
    > can compromise your machine enough to steal your certificate, they have
    > access to your machine anyway, and presumably my CC number.


    Cliff, I could use my computer to generate a certificate duplicating
    T-Boy's credentials. Then I hijack your DNS server so that when you type
    in T-Boy's website name you reach my server instead. The browser complains
    that it can't verify my self-signed certificate masquerading as T-Boy's
    just as it complains that it can't verify T-Boy's self-signed certificate.
    You won't tell the difference and I won't need to steal T-Boy's
    certificate.

    What self-signed certificates give you is encryption. They don't give you
    an assurance that you are talking to the computer you think you are
    talking to.

    Regards,
    Adam
     
    Adam Warner, Oct 27, 2003
    #7
  8. madknoxie

    Guest

    On Mon, 27 Oct 2003 21:14:34 +1300, T-Boy <> wrote:

    >In article <>,
    > says...
    >> I'm very interested to know: where do you get/purchase your SSL
    >> certificates from?

    >
    >I got mine from my PC - W2K Pro - but then I'm not asking "other
    >people" to trust it.


    If you don't need "other people" to trust it then you could have
    simply created and signed it yourself.

    The whole thing about root certificates etc is authentication. The
    encryption is just as good if you generate it yourself.
     
    , Oct 27, 2003
    #8
  9. madknoxie

    T-Boy Guest

    In article <>,
    says...
    > On Mon, 27 Oct 2003 21:14:34 +1300, T-Boy <> wrote:
    >
    > >In article <>,
    > > says...
    > >> I'm very interested to know: where do you get/purchase your SSL
    > >> certificates from?

    > >
    > >I got mine from my PC - W2K Pro - but then I'm not asking "other
    > >people" to trust it.
    > >

    > Why not? If I go to your website to purchase something, all I'm really
    > worried about is that no one can steal my CC number in transit. If
    > they can compromise your machine enough to steal your certificate,
    > they have access to your machine anyway, and presumably my CC number.


    .... what Adam said :)


    --
    Duncan
     
    T-Boy, Oct 27, 2003
    #9
  10. madknoxie

    T-Boy Guest

    In article <>, synergy56
    @hotmail.com says...
    > On Mon, 27 Oct 2003 21:14:34 +1300, T-Boy <> wrote:
    >
    > >In article <>,
    > > says...
    > >> I'm very interested to know: where do you get/purchase your SSL
    > >> certificates from?

    > >
    > >I got mine from my PC - W2K Pro - but then I'm not asking "other
    > >people" to trust it.

    >
    > If you don't need "other people" to trust it then you could have
    > simply created and signed it yourself.


    I have - of course!

    >
    > The whole thing about root certificates etc is authentication. The
    > encryption is just as good if you generate it yourself.


    Sure - the encryption's fine - but there's no garuantee on certificate
    authenticity, hence it's not trustworthy - are we goin round in circles
    here :)


    --
    Duncan
     
    T-Boy, Oct 27, 2003
    #10
  11. On Mon, 27 Oct 2003 07:37:54 -0500, synergy5 wrote:

    >
    > The whole thing about root certificates etc is authentication. The
    > encryption is just as good if you generate it yourself.



    Uh yeah... like the Verisign - approved "microsoft.com" certificates which
    were generated by someone with nothing to do with MS.

    All a root-verified certificate shows is that you paid someone some money
    to countersign it. They DO NOT verify who you are.
     
    Uncle StoatWarbler, Oct 27, 2003
    #11
  12. On Tue, 28 Oct 2003 00:31:43 +1300, Adam Warner wrote:

    > What self-signed certificates give you is encryption. They don't give you
    > an assurance that you are talking to the computer you think you are
    > talking to.


    Nor do root-signed certficates. There is virtually no auditing on them.
     
    Uncle StoatWarbler, Oct 27, 2003
    #12
  13. madknoxie

    AD. Guest

    On Mon, 27 Oct 2003 15:32:15 +0100, Uncle StoatWarbler wrote:

    > On Mon, 27 Oct 2003 07:37:54 -0500, synergy5 wrote:
    >
    >> The whole thing about root certificates etc is authentication. The
    >> encryption is just as good if you generate it yourself.

    >
    > Uh yeah... like the Verisign - approved "microsoft.com" certificates which
    > were generated by someone with nothing to do with MS.
    >
    > All a root-verified certificate shows is that you paid someone some money
    > to countersign it. They DO NOT verify who you are.


    I don't think that's the point. Security is about trade offs, and nothing
    is 100%.

    I would still place more trust in a root-verified cert than a self signed
    one. With a trusted cert the attacker has to both social engineer a cert
    AND hijack your DNS - without one they only have to hijack your DNS. It's
    one extra barrier.

    Discounting the value of a trusted cert, is a little bit like not
    hardening your bastion hosts because they are behind a firewall.

    Cheers
    Anton
     
    AD., Oct 27, 2003
    #13
  14. madknoxie

    T-Boy Guest

    In article <>, alanb+google4
    @digistar.com says...
    > On Mon, 27 Oct 2003 07:37:54 -0500, synergy5 wrote:
    >
    > >
    > > The whole thing about root certificates etc is authentication. The
    > > encryption is just as good if you generate it yourself.

    >
    >
    > Uh yeah... like the Verisign - approved "microsoft.com" certificates which
    > were generated by someone with nothing to do with MS.
    >
    > All a root-verified certificate shows is that you paid someone some money
    > to countersign it. They DO NOT verify who you are.


    Yes they do.

    You know damn well this was a Verisoft screw up.

    --
    Duncan
     
    T-Boy, Oct 27, 2003
    #14
  15. In article <>, "Uncle StoatWarbler" <> wrote:
    >On Mon, 27 Oct 2003 07:37:54 -0500, synergy5 wrote:
    >*SNIP*
    >Uh yeah... like the Verisign - approved "microsoft.com" certificates which
    >were generated by someone with nothing to do with MS.
    >

    IIRC that was due to a failure at MS not at Verisign - Someone got hold
    of the password for the root microsoft.com certificate, and was then
    able to generate new certificates that were "signed" by the
    microsoft.com root. I may be wrong, but that's my understanding of what
    happened.

    >All a root-verified certificate shows is that you paid someone some money
    >to countersign it. They DO NOT verify who you are.
    >

    As a general rule they're pretty safe. The big authorities do a fair
    bit of work to ensure that you are who you say you are before they'll
    sign a certificate. You need to produce things like certificates of
    incorporation (or the local equivalent), validated proof of address,
    etc. It's not quick and easy, but you already know that Alan.

    --
    Matthew Poole Auckland, New Zealand
    "Veni, vidi, velcro...
    I came, I saw, I stuck around"

    My real e-mail is mattATp00leDOTnet
     
    Matthew Poole, Oct 27, 2003
    #15
  16. madknoxie

    Zidoo Guest

    I am a thawte client and the serial number duplication had no effect
    on my business. Thawte's support was extremely efficient in
    implementing the re-issue as quickly as possible. Comodo on the other
    hand have given me the worse support i have received through any
    company.


    Adam Warner <> wrote in message news:<>...
    > Hi madknoxie,
    >
    > >> > I'm very interested to know: where do you get/purchase your SSL
    > >> > certificates from?
    > >>
    > >> InstantSSL/Comodo are extremely competitive. Be aware that there is
    > >> nothing instant about the process of obtaining a genuine certificate
    > >> (in contrast to a trial certificate): <http://www.instantssl.com/>

    > >
    > > Yeah, I was considering Comodo until I read these:
    > > http://www.sslreview.com/content/baltimore_sale.html
    > > http://www.whichssl.org/content/comodo_spam.html

    >
    > Interesting, thanks! The validity of the facts surrounding the targeted
    > emails could be material:
    > <http://www.instantssl.com/ssl-certificate-news/ssl-230603.html>
    >
    > It certainly appears to be true that Thawte screwed up and are replacing
    > certificates: <http://www.thawte.com/serial_faq.html>. If Comodo uncovered
    > this and only contacted affected customers then a public interest argument
    > could be made that affected customers would want to know about this (I
    > certainly would, but what's the urgency if it really took 9 months of
    > investigation? Not letting Thawte inform their customers first was low:
    > "We will be happy to pass our findings onto Thawte so that they can take
    > the necessary remedial action to their certificate generation
    > procedures.")
    >
    > The earlier link is also troubling. If Comodo goes then the only other
    > options remaining like Thawte are far more expensive. I didn't come across
    > anyone else with the same level of browser compatibility as Thawte and
    > Verisign while also being vastly cheaper.
    >
    > I don't know how worried you should be about this. If Comodo is now the
    > second largest certification authority in the world they should be able to
    > work something out, even if it means losing the widest level of browser
    > compatibility.
    >
    > Watch out when comparing prices. A US$49 FreeSSL.com certificate will not
    > have the same level of trust support in browsers (it appears to be MSIE
    > 5.01+ and Netscape 7 only, which may be sufficient for your purposes). If
    > you find out about anyone else that can match the same level of
    > compatibility as Verisign and Thawte but at a similar price to Comodo then
    > let us know.
    >
    > Regards,
    > Adam
     
    Zidoo, Oct 27, 2003
    #16
  17. madknoxie

    Howard Guest

    Does anyone know the state of play for issuing client certs in NZ? So that
    users can authenticate themselves online to government websites and other
    "its important we know who we're talking to" sites.

    I know the Bankers Association looked at this back in 2000. They asked PWC
    to recommend a way for the banks to cooperate (a la eftpos), rather than
    each bank duplicate the costs of the CA scheme. PWC said to the banks "its
    too early to say" and then promptly brought out their own client cert scheme
    (beTRUSTED www.betrusted.com).

    The banks also wanted to be compatible with whatever their Aussie parents
    were doing (ie GateKeeper
    http://www.noie.gov.au/projects/confidence/Securing/Gatekeeper.htm) as well
    as what is happening internationally (ie Identrus www.identrus.com). I see
    the aussies are progressing well, with some degree of tie-up beteen Identrus
    & Gatekeeper.

    About the only thing that we've seen locally is the flop that was ANZ's Zed
    card (www.zed.co.nz). Does anyone know more, or is NZ going to be forever in
    the dark regarding online authenticated services?
     
    Howard, Oct 28, 2003
    #17
  18. madknoxie

    Adam Warner Guest

    Hi T-Boy,

    >> >I got mine from my PC - W2K Pro - but then I'm not asking "other
    >> >people" to trust it.
    >> >

    >> Why not? If I go to your website to purchase something, all I'm really
    >> worried about is that no one can steal my CC number in transit. If they
    >> can compromise your machine enough to steal your certificate, they have
    >> access to your machine anyway, and presumably my CC number.

    >
    > ... what Adam said :)


    By the way (and yes it's obvious to everyone with an ounce of common
    sense), my use of "I" in the reply was for rhetorical effect and in no way
    implies that I condone the approach or would use my computer to commit
    fraud.

    The most secure website credit card verification systems never even
    provide the credit card number to the merchant. The financial institution
    handles the transaction and lets the merchant know the result. It does
    mean that the credit card number has to be entered for subsequent
    transactions with the same merchant. But it also means that a criminal has
    less to gain from breaking into the merchant's servers. And the public
    relations issues arising out of any break in are greatly minimised
    (telling all your customers their credit card numbers may have been
    compromised is not endearing).

    Regards,
    Adam
     
    Adam Warner, Oct 28, 2003
    #18
  19. madknoxie

    Gurble Guest

    On Mon, 27 Oct 2003 18:27:37 +1300, madknoxie
    <> wrote:

    >Yeah, I was considering Comodo until I read these:
    >http://www.sslreview.com/content/baltimore_sale.html
    >http://www.whichssl.org/content/comodo_spam.html
    >

    Remember that whichssl.org (and sslreview.com) are owned by Geotrust,
    whose main competitor is.... you guessed it, Comodo.

    The site is just a big, cunningly disguised, marketing and propoganda
    trick. Why do you think only Verisign and GeoTrust are listed as the
    "Top 2 Enterprise Class SSL Providers"? Verisign? Sure. GeoTrust? I'll
    leave it as an exercise for the reader to make up their own mind on
    this one...
     
    Gurble, Oct 28, 2003
    #19
  20. madknoxie

    Enkidu Guest

    On Tue, 28 Oct 2003 00:31:43 +1300, Adam Warner
    <> wrote:

    >Hi Enkidu,
    >
    >>>I got mine from my PC - W2K Pro - but then I'm not asking "other people"
    >>>to trust it.
    >>>

    >> Why not? If I go to your website to purchase something, all I'm really
    >> worried about is that no one can steal my CC number in transit. If they
    >> can compromise your machine enough to steal your certificate, they have
    >> access to your machine anyway, and presumably my CC number.

    >
    >Cliff, I could use my computer to generate a certificate duplicating
    >T-Boy's credentials. Then I hijack your DNS server so that when you type
    >in T-Boy's website name you reach my server instead. The browser complains
    >that it can't verify my self-signed certificate masquerading as T-Boy's
    >just as it complains that it can't verify T-Boy's self-signed certificate.
    >You won't tell the difference and I won't need to steal T-Boy's
    >certificate.
    >
    >What self-signed certificates give you is encryption. They don't give you
    >an assurance that you are talking to the computer you think you are
    >talking to.
    >

    But with a man-in-the-middle attack you don't know either!

    However, I accept that I'm losing this argument.....

    Cheers,

    Cliff
    --

    The complete lack of evidence is the surest sign
    that the conspiracy is working.
     
    Enkidu, Oct 28, 2003
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MS

    SSL without certificates

    MS, Jul 3, 2003, in forum: Computer Security
    Replies:
    7
    Views:
    5,537
  2. Chris

    SSL Certificates

    Chris, Aug 4, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    797
    Chris
    Aug 4, 2003
  3. Lord Amoeba

    Self-issued certificates and commercial certificates.

    Lord Amoeba, Apr 30, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    1,002
    David W.E. Roberts
    May 5, 2004
  4. Dystopia

    SSL certificates

    Dystopia, Jun 25, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    439
    Dystopia
    Jun 25, 2004
  5. jenny
    Replies:
    0
    Views:
    959
    jenny
    Nov 30, 2006
Loading...

Share This Page