Bitcoin Forum

Hi there,
I'm writing the code for a pool but I am sure that some informations need to transfer in a secure connection with the server. Most pools use an SSL certificate to make the connection secure: how much could it cost? Initially I thought that I could use javacript to encrypt with sha2 the password field in the form before sending it to the server, but there are other informations that I can't send in encrypted form, as the bitcoin address of every user. So I found this (http://assl.sullof.com/assl/) but I am not very convinced about that. There other ways? Which is the best?

Thanks,
turlando.

It depends on where you decide to buy your certificate.

StartSSL (http://www.startssl.com/) delivers free SSL certificates. Their root CA certificate is accepted by all browsers, as far as I know.
Their cheapest paid-for certificate costs $60 and is valid for 2 years. (It's not that expensive IMHO)

Like self-signed certificate? And so completely useless?

Nope, they sign it. They're a Certification Authority.

you can use SSL without a paid certificate. given the users trust your non-validated cert.

For free? I don't know so much about certificates.

Yes, their basic certificate isr free.

From their FAQ:


I'd suggest you have a look at their website: StartSSL™ Comparison Chart (http://www.startssl.com/?app=40)

I see that I don't think I really need the things that the free version doesn't offer. The only thing which I am in doubt is the validation level: what the class two or three comports than the class one?

The Class1 validation validates your domain name. (They do it by sending you a verification link to postmaster@yourdomain.com or a similar address.)
The Class2 validation validates your identity. (You have to send them a picture of your identity card).

Now, as far as encryption goes, I don't think there's a difference between the different classes.

DISCLAIMER: I haven't used any of their certificates myself. (Yet. Except their client certificate.)

which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it.
thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.

Do you suggest me StartSSL or another one else?

I think he was referring to self-signed certificates, which you can create yourself.
These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) attacks).

StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).

yep.
but as long as typical hijacker, which is frequently feds/isp, can/might hijack you isp, he can mimic CA activity too, with help of altered browser binary update. there is no way to combat that, than enforce both IPv6 deployment/usage for any kind of mission-critical/society-critical/survival-critical intrastructure/network with enforced crypto and DNSSec too, while both isn't invulnerable, but step ahead.