Bitcoin Forum
August 17, 2017, 08:39:53 AM *
News: Latest stable version of Bitcoin Core: 0.14.2  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Encrypted HTTP client-server connection  (Read 1358 times)
turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 11, 2011, 03:29:26 PM
 #1

Hi there,
I'm writing the code for a pool but I am sure that some informations need to transfer in a secure connection with the server. Most pools use an SSL certificate to make the connection secure: how much could it cost? Initially I thought that I could use javacript to encrypt with sha2 the password field in the form before sending it to the server, but there are other informations that I can't send in encrypted form, as the bitcoin address of every user. So I found this but I am not very convinced about that. There other ways? Which is the best?

Thanks,
turlando.

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin-Qt, but full nodes are more resource-heavy, and they must do a lengthy initial syncing process. As a result, lightweight clients with somewhat less security are commonly used.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 11, 2011, 03:49:45 PM
 #2

It depends on where you decide to buy your certificate.

StartSSL (http://www.startssl.com/) delivers free SSL certificates. Their root CA certificate is accepted by all browsers, as far as I know.
Their cheapest paid-for certificate costs $60 and is valid for 2 years. (It's not that expensive IMHO)
turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 11, 2011, 03:55:13 PM
 #3

StartSSL (http://www.startssl.com/) delivers free SSL certificates.
Like self-signed certificate? And so completely useless?

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 11, 2011, 03:59:00 PM
 #4

Nope, they sign it. They're a Certification Authority.
hamdi
Hero Member
*****
Offline Offline

Activity: 644



View Profile
June 11, 2011, 04:02:03 PM
 #5

you can use SSL without a paid certificate. given the users trust your non-validated cert.

turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 11, 2011, 04:11:52 PM
 #6

Nope, they sign it. They're a Certification Authority.
For free? I don't know so much about certificates.

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 11, 2011, 04:18:20 PM
 #7

Yes, their basic certificate isr free.

From their FAQ:

Quote from: StartCom
90.) Why are Class 1 certificates free?
The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.

I'd suggest you have a look at their website: StartSSL™ Comparison Chart
turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 11, 2011, 04:32:59 PM
 #8

Yes, their basic certificate isr free.

From their FAQ:

Quote from: StartCom
90.) Why are Class 1 certificates free?
The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.

I'd suggest you have a look at their website: StartSSL™ Comparison Chart

I see that I don't think I really need the things that the free version doesn't offer. The only thing which I am in doubt is the validation level: what the class two or three comports than the class one?

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 11, 2011, 05:02:47 PM
 #9

The Class1 validation validates your domain name. (They do it by sending you a verification link to postmaster@yourdomain.com or a similar address.)
The Class2 validation validates your identity. (You have to send them a picture of your identity card).

Now, as far as encryption goes, I don't think there's a difference between the different classes.

DISCLAIMER: I haven't used any of their certificates myself. (Yet. Except their client certificate.)
Basiley
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 11, 2011, 07:21:18 PM
 #10

you can use SSL without a paid certificate. given the users trust your non-validated cert.
which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it.
thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.
turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 12, 2011, 07:30:22 AM
 #11

you can use SSL without a paid certificate. given the users trust your non-validated cert.
which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it.
thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.
Do you suggest me StartSSL or another one else?

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 12, 2011, 09:14:05 AM
 #12

I think he was referring to self-signed certificates, which you can create yourself.
These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks).

StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).
Basiley
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 13, 2011, 03:23:13 AM
 #13

I think he was referring to self-signed certificates, which you can create yourself.
These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks).

StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).
yep.
but as long as typical hijacker, which is frequently feds/isp, can/might hijack you isp, he can mimic CA activity too, with help of altered browser binary update. there is no way to combat that, than enforce both IPv6 deployment/usage for any kind of mission-critical/society-critical/survival-critical intrastructure/network with enforced crypto and DNSSec too, while both isn't invulnerable, but step ahead.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!