successfully installed openssl on hosted server - host says there i sno security unless I buy separate certificate - is that right?

I successfully installed openssl on hosted server. The host company says
that offers no security or encryption unless I buy a certificate from them
or a third party like verisign.

If I try to open my site using httpS://, a prompt pops up telling me the
cert is not certified by anyone and do I want to accept it.

I accept it and there is a locked key in the browser.

Is the traffic encrypted (thus the tech is wrong)?

It is interesting in that the hosting company's login has the SAME prompt
when logging in.

NotGiven wrote:
> I successfully installed openssl on hosted server. The host company says
> that offers no security or encryption unless I buy a certificate from them
> or a third party like verisign.
>
> If I try to open my site using httpS://, a prompt pops up telling me the
> cert is not certified by anyone and do I want to accept it.

This is standard (and "the" standard) behavior. Ie., do _you_ trust
that this is a legit cert?

> I accept it and there is a locked key in the browser.

And the protocol in the browser's url is https -- note the added "s"
(as in secure) -- so long as you're using ssl/https.

> Is the traffic encrypted (thus the tech is wrong)?

The tech is clueless :-) Try sniffing the traffic with ethereal.

> It is interesting in that the hosting company's login has the SAME prompt
> when logging in.

Anyone can generate a certificate with whatever location, etc. info
they please. The purpose of a "trusted" third party is to _verify_
that the certificate "owner" is who they say they are and that they are
relatively trustworthy (ie., sufficient score on credit report and/or
authorized to request certificate verification on behalf of the
organization).

For your own use (or a relatively small number of people) there is no
reason to obtain some
"seal of approval" from a third party. In fact, you might be surprised
how many organiztions have not renewed their expired certs.

hth,
prg

"prg" <rdgentry1@cablelynx.com> wrote in message
news:1135032922.921937.36430@z14g2000cwz.googlegro ups.com...
>
> NotGiven wrote:
>> I successfully installed openssl on hosted server. The host company says
>> that offers no security or encryption unless I buy a certificate from
>> them
>> or a third party like verisign.
>>
>> If I try to open my site using httpS://, a prompt pops up telling me the
>> cert is not certified by anyone and do I want to accept it.
>
> This is standard (and "the" standard) behavior. Ie., do _you_ trust
> that this is a legit cert?
>
>> I accept it and there is a locked key in the browser.
>
> And the protocol in the browser's url is https -- note the added "s"
> (as in secure) -- so long as you're using ssl/https.
>
>> Is the traffic encrypted (thus the tech is wrong)?
>
> The tech is clueless :-) Try sniffing the traffic with ethereal.
>
>> It is interesting in that the hosting company's login has the SAME prompt
>> when logging in.
>
> Anyone can generate a certificate with whatever location, etc. info
> they please. The purpose of a "trusted" third party is to _verify_
> that the certificate "owner" is who they say they are and that they are
> relatively trustworthy (ie., sufficient score on credit report and/or
> authorized to request certificate verification on behalf of the
> organization).
>
> For your own use (or a relatively small number of people) there is no
> reason to obtain some
> "seal of approval" from a third party. In fact, you might be surprised
> how many organiztions have not renewed their expired certs.
>
> hth,
> prg


Thanks!