SSL Certificates

Discussion in 'NZ Computing' started by madknoxie, Oct 27, 2003.

  1. madknoxie

    madknoxie Guest

    I'm very interested to know: where do you get/purchase your SSL
    certificates from?
    madknoxie, Oct 27, 2003
    1. Advertisements

  2. madknoxie

    Adam Warner Guest

    Hi madknoxie,
    InstantSSL/Comodo are extremely competitive. Be aware that there is
    nothing instant about the process of obtaining a genuine certificate (in
    contrast to a trial certificate): <>

    Note also that "Instant SSL is inherently trusted by 99.3% of the current
    Internet population. This makes Instant SSL as equally trusted as more
    expensive Certificates from Verisign and Thawte."

    You shouldn't need the pro/premium stuff. Though I'd love a wildcard
    certificate (otherwise you'd need two certificates to "secure" and Think carefully about which domain
    name your customers use by default).

    Adam Warner, Oct 27, 2003
    1. Advertisements

  3. madknoxie

    madknoxie Guest

    Yeah, I was considering Comodo until I read these:

    Thanks, I wondered what all the talk about a Wildcard was. In my case it
    shouldn't be much of an issue because I can just provide the entire URL
    as the link to the shopping cart..
    madknoxie, Oct 27, 2003
  4. madknoxie

    Adam Warner Guest

    Hi madknoxie,
    Interesting, thanks! The validity of the facts surrounding the targeted
    emails could be material:

    It certainly appears to be true that Thawte screwed up and are replacing
    certificates: <>. If Comodo uncovered
    this and only contacted affected customers then a public interest argument
    could be made that affected customers would want to know about this (I
    certainly would, but what's the urgency if it really took 9 months of
    investigation? Not letting Thawte inform their customers first was low:
    "We will be happy to pass our findings onto Thawte so that they can take
    the necessary remedial action to their certificate generation

    The earlier link is also troubling. If Comodo goes then the only other
    options remaining like Thawte are far more expensive. I didn't come across
    anyone else with the same level of browser compatibility as Thawte and
    Verisign while also being vastly cheaper.

    I don't know how worried you should be about this. If Comodo is now the
    second largest certification authority in the world they should be able to
    work something out, even if it means losing the widest level of browser

    Watch out when comparing prices. A US$49 certificate will not
    have the same level of trust support in browsers (it appears to be MSIE
    5.01+ and Netscape 7 only, which may be sufficient for your purposes). If
    you find out about anyone else that can match the same level of
    compatibility as Verisign and Thawte but at a similar price to Comodo then
    let us know.

    Adam Warner, Oct 27, 2003
  5. madknoxie

    T-Boy Guest

    I got mine from my PC - W2K Pro - but then I'm not asking "other
    people" to trust it.
    T-Boy, Oct 27, 2003
  6. madknoxie

    Enkidu Guest

    Why not? If I go to your website to purchase something, all I'm really
    worried about is that no one can steal my CC number in transit. If
    they can compromise your machine enough to steal your certificate,
    they have access to your machine anyway, and presumably my CC number.


    Enkidu, Oct 27, 2003
  7. madknoxie

    Adam Warner Guest

    Hi Enkidu,
    Cliff, I could use my computer to generate a certificate duplicating
    T-Boy's credentials. Then I hijack your DNS server so that when you type
    in T-Boy's website name you reach my server instead. The browser complains
    that it can't verify my self-signed certificate masquerading as T-Boy's
    just as it complains that it can't verify T-Boy's self-signed certificate.
    You won't tell the difference and I won't need to steal T-Boy's

    What self-signed certificates give you is encryption. They don't give you
    an assurance that you are talking to the computer you think you are
    talking to.

    Adam Warner, Oct 27, 2003
  8. madknoxie

    synergy56 Guest

    If you don't need "other people" to trust it then you could have
    simply created and signed it yourself.

    The whole thing about root certificates etc is authentication. The
    encryption is just as good if you generate it yourself.
    synergy56, Oct 27, 2003
  9. madknoxie

    T-Boy Guest

    .... what Adam said :)
    T-Boy, Oct 27, 2003
  10. madknoxie

    T-Boy Guest

    I have - of course!
    Sure - the encryption's fine - but there's no garuantee on certificate
    authenticity, hence it's not trustworthy - are we goin round in circles
    here :)
    T-Boy, Oct 27, 2003

  11. Uh yeah... like the Verisign - approved "" certificates which
    were generated by someone with nothing to do with MS.

    All a root-verified certificate shows is that you paid someone some money
    to countersign it. They DO NOT verify who you are.
    Uncle StoatWarbler, Oct 27, 2003
  12. Nor do root-signed certficates. There is virtually no auditing on them.
    Uncle StoatWarbler, Oct 27, 2003
  13. madknoxie

    AD. Guest

    I don't think that's the point. Security is about trade offs, and nothing
    is 100%.

    I would still place more trust in a root-verified cert than a self signed
    one. With a trusted cert the attacker has to both social engineer a cert
    AND hijack your DNS - without one they only have to hijack your DNS. It's
    one extra barrier.

    Discounting the value of a trusted cert, is a little bit like not
    hardening your bastion hosts because they are behind a firewall.

    AD., Oct 27, 2003
  14. madknoxie

    T-Boy Guest

    Yes they do.

    You know damn well this was a Verisoft screw up.
    T-Boy, Oct 27, 2003
  15. IIRC that was due to a failure at MS not at Verisign - Someone got hold
    of the password for the root certificate, and was then
    able to generate new certificates that were "signed" by the root. I may be wrong, but that's my understanding of what
    As a general rule they're pretty safe. The big authorities do a fair
    bit of work to ensure that you are who you say you are before they'll
    sign a certificate. You need to produce things like certificates of
    incorporation (or the local equivalent), validated proof of address,
    etc. It's not quick and easy, but you already know that Alan.

    Matthew Poole Auckland, New Zealand
    "Veni, vidi, velcro...
    I came, I saw, I stuck around"

    My real e-mail is mattATp00leDOTnet
    Matthew Poole, Oct 27, 2003
  16. madknoxie

    Zidoo Guest

    I am a thawte client and the serial number duplication had no effect
    on my business. Thawte's support was extremely efficient in
    implementing the re-issue as quickly as possible. Comodo on the other
    hand have given me the worse support i have received through any
    Zidoo, Oct 27, 2003
  17. madknoxie

    Howard Guest

    Does anyone know the state of play for issuing client certs in NZ? So that
    users can authenticate themselves online to government websites and other
    "its important we know who we're talking to" sites.

    I know the Bankers Association looked at this back in 2000. They asked PWC
    to recommend a way for the banks to cooperate (a la eftpos), rather than
    each bank duplicate the costs of the CA scheme. PWC said to the banks "its
    too early to say" and then promptly brought out their own client cert scheme

    The banks also wanted to be compatible with whatever their Aussie parents
    were doing (ie GateKeeper as well
    as what is happening internationally (ie Identrus I see
    the aussies are progressing well, with some degree of tie-up beteen Identrus
    & Gatekeeper.

    About the only thing that we've seen locally is the flop that was ANZ's Zed
    card ( Does anyone know more, or is NZ going to be forever in
    the dark regarding online authenticated services?
    Howard, Oct 28, 2003
  18. madknoxie

    Adam Warner Guest

    Hi T-Boy,
    By the way (and yes it's obvious to everyone with an ounce of common
    sense), my use of "I" in the reply was for rhetorical effect and in no way
    implies that I condone the approach or would use my computer to commit

    The most secure website credit card verification systems never even
    provide the credit card number to the merchant. The financial institution
    handles the transaction and lets the merchant know the result. It does
    mean that the credit card number has to be entered for subsequent
    transactions with the same merchant. But it also means that a criminal has
    less to gain from breaking into the merchant's servers. And the public
    relations issues arising out of any break in are greatly minimised
    (telling all your customers their credit card numbers may have been
    compromised is not endearing).

    Adam Warner, Oct 28, 2003
  19. madknoxie

    Gurble Guest

    Remember that (and are owned by Geotrust,
    whose main competitor is.... you guessed it, Comodo.

    The site is just a big, cunningly disguised, marketing and propoganda
    trick. Why do you think only Verisign and GeoTrust are listed as the
    "Top 2 Enterprise Class SSL Providers"? Verisign? Sure. GeoTrust? I'll
    leave it as an exercise for the reader to make up their own mind on
    this one...
    Gurble, Oct 28, 2003
  20. madknoxie

    Enkidu Guest

    But with a man-in-the-middle attack you don't know either!

    However, I accept that I'm losing this argument.....


    Enkidu, Oct 28, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.