I'm very interested to know: where do you get/purchase your SSL certificates from?
Hi madknoxie, InstantSSL/Comodo are extremely competitive. Be aware that there is nothing instant about the process of obtaining a genuine certificate (in contrast to a trial certificate): <http://www.instantssl.com/> Note also that "Instant SSL is inherently trusted by 99.3% of the current Internet population. This makes Instant SSL as equally trusted as more expensive Certificates from Verisign and Thawte." You shouldn't need the pro/premium stuff. Though I'd love a wildcard certificate (otherwise you'd need two certificates to "secure" website.co.nz and www.website.co.nz. Think carefully about which domain name your customers use by default). Regards, Adam
Yeah, I was considering Comodo until I read these: http://www.sslreview.com/content/baltimore_sale.html http://www.whichssl.org/content/comodo_spam.html Thanks, I wondered what all the talk about a Wildcard was. In my case it shouldn't be much of an issue because I can just provide the entire URL as the link to the shopping cart..
Hi madknoxie, Interesting, thanks! The validity of the facts surrounding the targeted emails could be material: <http://www.instantssl.com/ssl-certificate-news/ssl-230603.html> It certainly appears to be true that Thawte screwed up and are replacing certificates: <http://www.thawte.com/serial_faq.html>. If Comodo uncovered this and only contacted affected customers then a public interest argument could be made that affected customers would want to know about this (I certainly would, but what's the urgency if it really took 9 months of investigation? Not letting Thawte inform their customers first was low: "We will be happy to pass our findings onto Thawte so that they can take the necessary remedial action to their certificate generation procedures.") The earlier link is also troubling. If Comodo goes then the only other options remaining like Thawte are far more expensive. I didn't come across anyone else with the same level of browser compatibility as Thawte and Verisign while also being vastly cheaper. I don't know how worried you should be about this. If Comodo is now the second largest certification authority in the world they should be able to work something out, even if it means losing the widest level of browser compatibility. Watch out when comparing prices. A US$49 FreeSSL.com certificate will not have the same level of trust support in browsers (it appears to be MSIE 5.01+ and Netscape 7 only, which may be sufficient for your purposes). If you find out about anyone else that can match the same level of compatibility as Verisign and Thawte but at a similar price to Comodo then let us know. Regards, Adam
Why not? If I go to your website to purchase something, all I'm really worried about is that no one can steal my CC number in transit. If they can compromise your machine enough to steal your certificate, they have access to your machine anyway, and presumably my CC number. Cheers, Cliff
Hi Enkidu, Cliff, I could use my computer to generate a certificate duplicating T-Boy's credentials. Then I hijack your DNS server so that when you type in T-Boy's website name you reach my server instead. The browser complains that it can't verify my self-signed certificate masquerading as T-Boy's just as it complains that it can't verify T-Boy's self-signed certificate. You won't tell the difference and I won't need to steal T-Boy's certificate. What self-signed certificates give you is encryption. They don't give you an assurance that you are talking to the computer you think you are talking to. Regards, Adam
If you don't need "other people" to trust it then you could have simply created and signed it yourself. The whole thing about root certificates etc is authentication. The encryption is just as good if you generate it yourself.
I have - of course! Sure - the encryption's fine - but there's no garuantee on certificate authenticity, hence it's not trustworthy - are we goin round in circles here
Uh yeah... like the Verisign - approved "microsoft.com" certificates which were generated by someone with nothing to do with MS. All a root-verified certificate shows is that you paid someone some money to countersign it. They DO NOT verify who you are.
I don't think that's the point. Security is about trade offs, and nothing is 100%. I would still place more trust in a root-verified cert than a self signed one. With a trusted cert the attacker has to both social engineer a cert AND hijack your DNS - without one they only have to hijack your DNS. It's one extra barrier. Discounting the value of a trusted cert, is a little bit like not hardening your bastion hosts because they are behind a firewall. Cheers Anton
IIRC that was due to a failure at MS not at Verisign - Someone got hold of the password for the root microsoft.com certificate, and was then able to generate new certificates that were "signed" by the microsoft.com root. I may be wrong, but that's my understanding of what happened. As a general rule they're pretty safe. The big authorities do a fair bit of work to ensure that you are who you say you are before they'll sign a certificate. You need to produce things like certificates of incorporation (or the local equivalent), validated proof of address, etc. It's not quick and easy, but you already know that Alan. -- Matthew Poole Auckland, New Zealand "Veni, vidi, velcro... I came, I saw, I stuck around" My real e-mail is mattATp00leDOTnet
I am a thawte client and the serial number duplication had no effect on my business. Thawte's support was extremely efficient in implementing the re-issue as quickly as possible. Comodo on the other hand have given me the worse support i have received through any company.
Does anyone know the state of play for issuing client certs in NZ? So that users can authenticate themselves online to government websites and other "its important we know who we're talking to" sites. I know the Bankers Association looked at this back in 2000. They asked PWC to recommend a way for the banks to cooperate (a la eftpos), rather than each bank duplicate the costs of the CA scheme. PWC said to the banks "its too early to say" and then promptly brought out their own client cert scheme (beTRUSTED www.betrusted.com). The banks also wanted to be compatible with whatever their Aussie parents were doing (ie GateKeeper http://www.noie.gov.au/projects/confidence/Securing/Gatekeeper.htm) as well as what is happening internationally (ie Identrus www.identrus.com). I see the aussies are progressing well, with some degree of tie-up beteen Identrus & Gatekeeper. About the only thing that we've seen locally is the flop that was ANZ's Zed card (www.zed.co.nz). Does anyone know more, or is NZ going to be forever in the dark regarding online authenticated services?
Hi T-Boy, By the way (and yes it's obvious to everyone with an ounce of common sense), my use of "I" in the reply was for rhetorical effect and in no way implies that I condone the approach or would use my computer to commit fraud. The most secure website credit card verification systems never even provide the credit card number to the merchant. The financial institution handles the transaction and lets the merchant know the result. It does mean that the credit card number has to be entered for subsequent transactions with the same merchant. But it also means that a criminal has less to gain from breaking into the merchant's servers. And the public relations issues arising out of any break in are greatly minimised (telling all your customers their credit card numbers may have been compromised is not endearing). Regards, Adam
Remember that whichssl.org (and sslreview.com) are owned by Geotrust, whose main competitor is.... you guessed it, Comodo. The site is just a big, cunningly disguised, marketing and propoganda trick. Why do you think only Verisign and GeoTrust are listed as the "Top 2 Enterprise Class SSL Providers"? Verisign? Sure. GeoTrust? I'll leave it as an exercise for the reader to make up their own mind on this one...
But with a man-in-the-middle attack you don't know either! However, I accept that I'm losing this argument..... Cheers, Cliff