Thursday, March 24, 2005

Free SSL Cert?

OK, these guys have some questions:

Do you have a website or run even a web server and want to secure the traffic between your visitor's browser and the web site? Did you find out that, in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Were you also surprised to find out that such a certificate can cost you hundreds of dollars, and that they are only valid for one year? For what, you might ask yourself?

[ StartCom Free SSL Certificate Project ]

And basically the answer is that if they don't check out people, anyone can get an SSL certificate, and the little lock will mean nothing but traffic is encrypted. Part of what that is supposed to provide is 3rd party confirmation about who you are dealing with. Clearly installation of their root certificate will make your machine somewhat more gullible, and you won't know for sure that when you see the wee lock that you are dealing with the company that says they are that company.

However, they also point out that few people fully understand all of that stuff, and CAs don't check too much to issue a certificate. Most importantly for web developers this means the availability of a true, valid, painless, SSL certificate for localhost for all of your development needs. Now that's something to get excited about.

Update: StartCom has asked me to "check out our project again", as then have increased their offerings and my above statement is no longer true.

www

Comments [2] |

Thursday, March 24, 2005 2:01:41 PM (Eastern Standard Time, UTC-05:00)

Actually, I was faced with a situation here at work that reqired the use of SSL. For the longest time at my old job, we did development with a bit that would speficy if the site was on the production server or not, and would only use SSL if it was on the production server. This ultimately led to untested code being put on the server and when the bit was "flipped" there were suddenly SSL issues that never showed up in testing. I hated this, but getting a Cert to install locally was a PITA or expensive, usually clients didn't have that budget, additionally each cert requires its own IP since host headers cannot work if the request is encrypted (IIS really should know how to handle it, but I digress). So I started requesting development IP addresses for sites that require SSL, but I was still faced with the cert issue. Usually I would just install the cert intended for the site on the dev site with a different name, and then I would get the error about the name not being correct. But then I discovered MakeCert.exe. An application that you can pass a ton of parameters to in order to create a cert that you can install on the server. Pretty sweet. Then if you have control over your local domain policy in your network, just add your provider (that you are generating) to the trusted providers. Then any cert you create will automatically be trusted internally, and you control the whole thing, no outside place needed.

[url]http://www.inventec.ch/chdh/notes/14.htm[/url]

Alex

Tuesday, May 17, 2005 8:27:11 PM (Eastern Standard Time, UTC-05:00)

StartCom Free SSL Project does verify, if you are the owner of the domain name or IP address for the requested certificate, which is enough for secure encryption. Others charge allmost $ 100 for the same service.....

StartCom

Comments are closed.