HTTPS configuration

Does HTTPS need to be certificated by some body like VeriSign ?

Or can it be setup without such certification ?

Aaron

Aaron Gray wrote:
> Does HTTPS need to be certificated by some body like VeriSign ?
>
> Or can it be setup without such certification ?
>
> Aaron

you can self sign, it provides the same level of encryption and
therefore protection, however it cannot be trusted in the same manner,
so trusted 3rd party signing is best. If a self signed certificate is
used then the client's user agent will pop up a warning that the
certificate is issued by a company you have not chosen to trust. Which
will put people off using it.
However if you are an intranet admin, or your users trust you, that's
not an issue.
One more thing, if you are a sys admin and you have the ability to
place trust in your certificate on behalf of your users, then you can
add your self-signed certificate into the browsers trusted list. This
is done by many businesses who wish to spy on their users.
create cert,
use a LAN script to trust it,
place cert on proxy/gateway server on LAN through which all users get
internet access
make SSL on users behalf to internet, then again to usesrs browser,
leaving you free to read on unencrypted data on the gateway/proxy

"shimmyshack" <matt.farey@gmail.com> wrote in message
news:1168998763.478546.57260@m58g2000cwm.googlegro ups.com...
>
> Aaron Gray wrote:
>> Does HTTPS need to be certificated by some body like VeriSign ?
>>
>> Or can it be setup without such certification ?
>>
>> Aaron
>
> you can self sign, it provides the same level of encryption and
> therefore protection, however it cannot be trusted in the same manner,
> so trusted 3rd party signing is best. If a self signed certificate is
> used then the client's user agent will pop up a warning that the
> certificate is issued by a company you have not chosen to trust. Which
> will put people off using it.
> However if you are an intranet admin, or your users trust you, that's
> not an issue.
> One more thing, if you are a sys admin and you have the ability to
> place trust in your certificate on behalf of your users, then you can
> add your self-signed certificate into the browsers trusted list. This
> is done by many businesses who wish to spy on their users.
> create cert,
> use a LAN script to trust it,
> place cert on proxy/gateway server on LAN through which all users get
> internet access
> make SSL on users behalf to internet, then again to usesrs browser,
> leaving you free to read on unencrypted data on the gateway/proxy

So are there any 3rd party signing companies or organizations setup for Open
Source or community operations ?

And with VeriSign is it per 1st party website OR server ?

Many TIA,

Aaron

Aaron Gray wrote:
> "shimmyshack" <matt.farey@gmail.com> wrote in message
> news:1168998763.478546.57260@m58g2000cwm.googlegro ups.com...
> >
> > Aaron Gray wrote:
> >> Does HTTPS need to be certificated by some body like VeriSign ?
> >>
> >> Or can it be setup without such certification ?
> >>
> >> Aaron
> >
> > you can self sign, it provides the same level of encryption and
> > therefore protection, however it cannot be trusted in the same manner,
> > so trusted 3rd party signing is best. If a self signed certificate is
> > used then the client's user agent will pop up a warning that the
> > certificate is issued by a company you have not chosen to trust. Which
> > will put people off using it.
> > However if you are an intranet admin, or your users trust you, that's
> > not an issue.
> > One more thing, if you are a sys admin and you have the ability to
> > place trust in your certificate on behalf of your users, then you can
> > add your self-signed certificate into the browsers trusted list. This
> > is done by many businesses who wish to spy on their users.
> > create cert,
> > use a LAN script to trust it,
> > place cert on proxy/gateway server on LAN through which all users get
> > internet access
> > make SSL on users behalf to internet, then again to usesrs browser,
> > leaving you free to read on unencrypted data on the gateway/proxy
>
> So are there any 3rd party signing companies or organizations setup for Open
> Source or community operations ?
>
> And with VeriSign is it per 1st party website OR server ?
>
> Many TIA,
>
> Aaron

a very good question, ive never looked into that myself, however in
terms of being "free" I doubt it. You never know, but the quality of
the 3rd parties level of trust is that when you create the Certificate
Sign Request, they DO check everything. Only if they are satisfied you
are who you claim, and so on will you get the signature, which means it
costs real money to guarantee that the signature is trustworthy.
Thawte run a system whereby for email certificates you can proove to a
number of individuals that you are who you say on your sig, and that
you own that email address, once enough people verify your passport
etc.. you get your cert for nothing, and then get points enough to
start signing others certs.
However this system is a peer to peer system relying on people giving
up real time and energy to help others.
It might exist for server certs I dont know, if you find such a way,
post back here please.

the cert is per domain, rather than per IP, think about a virtual host
setup, someone on there (who has same IP) might have signed cert, but
you are still not able to use SSL on your domain name.

certs a re valid for a period of time (usually a year) and then they
need to be redone else you see another "expired" popup

>> So are there any 3rd party signing companies or organizations setup for
>> Open
>> Source or community operations ?
>
> Thawte run a system whereby for email certificates you can proove to a
> number of individuals that you are who you say on your sig, and that
> you own that email address, once enough people verify your passport
> etc.. you get your cert for nothing, and then get points enough to
> start signing others certs.
> However this system is a peer to peer system relying on people giving
> up real time and energy to help others.
> It might exist for server certs I dont know, if you find such a way,
> post back here please.

Okay, am looking for a peer to peer solution.

Maybe GNU or FSF should offer such a service ?

Many thanks for the info.

Aaron