Encrypted HTTP client-server connection

[turlando]

Hi there,
I'm writing the code for a pool but I am sure that some informations need to transfer in a secure connection with the server. Most pools use an SSL certificate to make the connection secure: how much could it cost? Initially I thought that I could use javacript to encrypt with sha2 the password field in the form before sending it to the server, but there are other informations that I can't send in encrypted form, as the bitcoin address of every user. So I found this but I am not very convinced about that. There other ways? Which is the best?

Thanks,
turlando.

[WilliamJohnson]

It depends on where you decide to buy your certificate.

StartSSL (http://www.startssl.com/) delivers free SSL certificates. Their root CA certificate is accepted by all browsers, as far as I know.
Their cheapest paid-for certificate costs $60 and is valid for 2 years. (It's not that expensive IMHO)

[turlando]

StartSSL (http://www.startssl.com/) delivers free SSL certificates.

Like self-signed certificate? And so completely useless?

[WilliamJohnson]

Nope, they sign it. They're a Certification Authority.

[hamdi]

you can use SSL without a paid certificate. given the users trust your non-validated cert.

[turlando]

Nope, they sign it. They're a Certification Authority.

For free? I don't know so much about certificates.

[WilliamJohnson]

Yes, their basic certificate isr free.

From their FAQ:

90.) Why are Class 1 certificates free?
The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.

I'd suggest you have a look at their website: StartSSL™ Comparison Chart

[turlando]

Yes, their basic certificate isr free.

From their FAQ:

90.) Why are Class 1 certificates free?
The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.

I'd suggest you have a look at their website: StartSSL™ Comparison Chart

I see that I don't think I really need the things that the free version doesn't offer. The only thing which I am in doubt is the validation level: what the class two or three comports than the class one?

[WilliamJohnson]

The Class1 validation validates your domain name. (They do it by sending you a verification link to postmaster@yourdomain.com or a similar address.)
The Class2 validation validates your identity. (You have to send them a picture of your identity card).

Now, as far as encryption goes, I don't think there's a difference between the different classes.

DISCLAIMER: I haven't used any of their certificates myself. (Yet. Except their client certificate.)

[Basiley]

you can use SSL without a paid certificate. given the users trust your non-validated cert.

which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it.
thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.

[turlando]

you can use SSL without a paid certificate. given the users trust your non-validated cert.

which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it.
thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.

Do you suggest me StartSSL or another one else?

[WilliamJohnson]

I think he was referring to self-signed certificates, which you can create yourself.
These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks).

StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).

[Basiley]

I think he was referring to self-signed certificates, which you can create yourself.
These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks).

StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).

yep.
but as long as typical hijacker, which is frequently feds/isp, can/might hijack you isp, he can mimic CA activity too, with help of altered browser binary update. there is no way to combat that, than enforce both IPv6 deployment/usage for any kind of mission-critical/society-critical/survival-critical intrastructure/network with enforced crypto and DNSSec too, while both isn't invulnerable, but step ahead.