Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 months ago.
Improve this question
I'm looking through a variety of SSL providers, but they all seem to provide "email certificates" which can double as client-certs that can be installed into a browser.
Does any company actually sell client-certificates and know what they're talking about?
X509v3 certificates can be restricted to specific uses. Some S/MIME certificates are restricted so that they can't be used for websites, but most are not.
Thawte no longer issues client certificates. My certificate from 2003 had a Cert Type" of "SSL CLient, S/MIME" indicating that they could be used for both email and for client certificates. My certificate from April 27, 2009 had only a single constraint, that it could not be used as a Certificate Authority.
Apple's iChat encryption certificate can only be used for SSL Client. You get this automatically if you are a me.com customer and enable secure iChat.
You may find that it is easiest to issue your own certificates. Many people do this and it works quite well. You will need to have the user load your own key as a CA.
A client certificate is typically only meaningful in the context a service who trusts it.
For example when a windows computer joins a domain, that client workstation generates a key pair (internally), and the domain controller signs it, and that signed pair (now becomes a cert, though not an X509 cert) and is used internally by windows. The cert is only meaningful to the domain controller.
Normally large organizations who run their own CA issue client certs to people who wan to use SSL auth to access secure sites.
The reason that client certificates are probably rare on the internet at large, is the revocation problem. For Thawte to issue you (personally) a client cert would mean that they would have to be responsible for managing revocation for it. In order for it to be cost effective, there would be a large number of certs out there; and they would constantly be being revoked, since individuals constantly individual security lapses.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I built a simple website for my mother's business. There is no login, database, or any sort of form or payment happening on the site. I do not have an SSL Certificate and was wondering if a self-signed one offered by cPanel hosting would suffice? I would hate to shell out money for encryption I don't need yet. The main reason I need it is so that the browsers stop blocking my https connection. Any information I can get on this would be a big help.
Rather than selecting a self-signed SSL Certificate, you better go with the Free/Trial SSL Certificate offered by some of world's leading SSL Certificate authorities like Comodo, Symantec and RapidSSL.
Why no to Self-Signed SSL Certificate?
Not accepted by most browsers
Browser will display untrusted connection error message
Why Free/Trial SSL Certificate?
Compatible with multiple servers and operating system platforms.
Accepted by 99.9% web and mobile browsers (No Error after installation)
It will give trust and confidence to users as the SSL is from verified SSL authority
Increases website reputation over internet.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
Our company recently implemented Zscaler proxy filtering, which I just learned uses a root certificate pushed out to all of our machines to forge SSL certificates for mitm filtering of our traffic. Personally I'm not happy about this, but we do a lot of sensitive work, so I'm not going to complain.
But now I'm noticing they don't seem to be doing it consistently. For instance, if I go to Facebook on the work network, the certificate is signed by ZScaler Intermediate Root CA, which clearly means it's been compromised. But if I go to, say, my bank, it says it's signed by Verisign. Am I right in thinking that means the bank connection has not been intercepted and is still end to end encrypted?
Zscaler allows the administrator to configure which sites/domains/categories will or will not be decrypted for inspection. It sounds like your admins have disabled SSL decryption sites in the finance category, and thus traffic to your bank is not being decrypted, whilst traffic to Facebook is.
As far as determining which traffic is and is not being decrypted you are exactly right - check the SSL certificate and if it's signed by the Zscaler certificate then the traffic is being Man-In-The-Middle'ed. If it's signed by any other certificate (including Verisign/etc) then it's NOT being MITM'ed.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I am a bit confused in understanding the SSL Certificate validation by Web Browsers.
Looking at the certificate which i see in firefox after connecting to google.com, it has actually three certificates in a chain :
1) GeoTrust Global CA [I guess this is root certificate]
2) Google Internet Authority G2
3) *.google.com
I know that 3 is issued by 2 and 2 is issued by 1. 1 is self-issued.
So, it means google is sending a certificate chain to the browser. How does browser validates all the three certificates ?
Is the order of validation 3->2->1 or 1->2->3 ? I don't think *.google.com will be present in Firefox's trusted certificate list as it cannot store all such website specific certificates.
What is the exact computation done by the browser to establish the trust for the certificate ?
The browser is initially set up with a set of trust anchors (the CA certificates it trusts). What these are may depend on the operating system or installation.
One of these trust anchors is GeoTrust Global CA.
When connecting to www.google.com, the server sends its certificate chain, *.google.com and Google Internet Authority G2.
The browser then verifies that *.google.com was indeed signed by Google Internet Authority G2. It then looks for the issuer of Google Internet Authority G2 and tries to match it with the subject of one of the trust anchors it knows (GeoTrust Global CA). When it has found a match, it also verifies the signature of Google Internet Authority G2 using GeoTrust Global CA's public key.
There's a bit more to it than that: checking validity in time and various usage attributes.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
What I want to do is making my website available via https without getting these browser warning that the site is not trusted.
I created an SSL certificate for my domain and configured Apache webserver to use it in default-ssl. Calling my site with https:// works, but in every browser on every device a get the message that no issuer chain was provided. In firefox like:
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
What did I understand wrong with SSL?
The certificate you get is not directly signed by the Root-CA, but by an intermediate CA, which by itself got signed by the Root-CA. You have to add this intermediate CA to the certificates your server sends to the client, because the client only trusts the Root-CA and does not now the intermediate CA.
The process is described in various places, like https://eldon.me/?p=34
You say Startcom SSL - do you mean the free one? If so - that's a normal and import behavior of these browsers (well your free certificate isn't validated - no prove that this certificate really belongs to you). I actually hope there is no way around that.
Don't get me wrong - CA's have their advantages as well as disadvantages. What you could do for your users is take part in the web of trust, yet it won't help on that topic.
What you personally can do, is view the certificate (when the warning is displayed - don't directly click for a temporary exception) and then, there is an option to permanently save an exception for that certificate.
But you have to do that on every browser (once) and just works for you, every other user visiting the site has to do the same.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I want to buy a 128bit SSL certificate for a website selling services. I checked http://www.rapidssl.com/ssl-certificate-products/ssl-certificate.htm and http://www.geotrust.com/ssl/compare-ssl-certificates.html. Why are the prices for QuickSSL (Geotrust, $249) and RapidSSL (rapidSSL, $69) so different? Is there any particular reason for this or it's just marketing?
RapidSSL says the following:
However it is our opinion that sites conducting more than 50 transactions will require a Professional Level SSL certificate due to the increased likelihood that the website's customers will expect SSL from a highly credible and established SSL provider and well
known internationally accepted SSL brand.
(by "professional level SSL" they mean Geotrust certs)
P.S. will users really pay attention to the SSL issuing authority brand name?
The job of the SSL certificate authority(CA)/provider is to validate your organizational identity so that when customers access your web site, they not only get the padlock for security, but they know that your identity as the fully qualified hostname are authentic and not some phishing scam.
True, most all users look no further than the padlock indicating secure connection to their bank web site, email, etc. However, if any CA were to become compromised, all browsers who trust that CA would be vulnerable, because an attacker could forge a certificate for any domain, including yours. Your choice of certificate provider has no bearing on this. I have yet to hear about this actually happening. MITM attacks are a big deal now with wireless hotspots becoming more and more prevalent.
One more thing is browser compatibility. You would expect that your newly purchased cert be compatible with every modern browser. This is because they are all loaded with a list of root CA certs that trust a select list of SSL certificate authorities. If you buy from a CA that is not on that list, all your client browsers will get a security warning that the site's cert is not trusted. Just doublecheck that RapidSSL, Geotrust, or whoever you go with is in the list of all the browsers you care about. (e.g. for Firefox, it's at Tools/Options/Advanced/Encryption/View Certificates/Authorities tab)
In the end, just get the cheapest one that gives you the level of encryption you want. It'll get the job done. Check with your web host provider. They may have discounts.
To clarify, both are owned by Geotrust(R) . One difference is that Geotrust certificates use "Geotrust" root, and RapidSSL certificates use "Equifax" root, which will be shown in the certificate info "Issued by".
I know this has an accepted answer already, but there is another aspect.
The more expensive SSL certificates usually have a better warranty when it comes to fraud. A lower cost SSL cert may cover $10,000 worth of fraud whereas a higher cost SSL cert may cover you for $100,000, for example.
they both do the same job, just brand perception i guess
honestly i don't think the end user would even notice. as long as they see the little padlock they will be happy
ps. godaddy certs are cheaper
This has a good overview of the RapidSSL faqs.
This will give you the same for the QuickSSL.
The main difference in these certificates is the amount of verification during purchase. The encryption is basically the same for both.
As for the warranty mentioned above, as far as I understand this is a warranty to the "end user" in case the certificate authority issues a certificate to a fraudulent person/domain. It is not a warranty to the website owner.
Pretty late to the game but there is one other detail worth noting here--RapidSSL is not on IE8's list of trusted authorities.