Bitcoin Forum
December 04, 2016, 08:28:34 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Encrypted HTTP client-server connection  (Read 1289 times)
turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 11, 2011, 03:29:26 PM
 #1

Hi there,
I'm writing the code for a pool but I am sure that some informations need to transfer in a secure connection with the server. Most pools use an SSL certificate to make the connection secure: how much could it cost? Initially I thought that I could use javacript to encrypt with sha2 the password field in the form before sending it to the server, but there are other informations that I can't send in encrypted form, as the bitcoin address of every user. So I found this but I am not very convinced about that. There other ways? Which is the best?

Thanks,
turlando.

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 11, 2011, 03:49:45 PM
 #2

It depends on where you decide to buy your certificate.

StartSSL (http://www.startssl.com/) delivers free SSL certificates. Their root CA certificate is accepted by all browsers, as far as I know.
Their cheapest paid-for certificate costs $60 and is valid for 2 years. (It's not that expensive IMHO)
turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 11, 2011, 03:55:13 PM
 #3

StartSSL (http://www.startssl.com/) delivers free SSL certificates.
Like self-signed certificate? And so completely useless?

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 11, 2011, 03:59:00 PM
 #4

Nope, they sign it. They're a Certification Authority.
hamdi
Hero Member
*****
Offline Offline

Activity: 644



View Profile
June 11, 2011, 04:02:03 PM
 #5

you can use SSL without a paid certificate. given the users trust your non-validated cert.

turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 11, 2011, 04:11:52 PM
 #6

Nope, they sign it. They're a Certification Authority.
For free? I don't know so much about certificates.

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 11, 2011, 04:18:20 PM
 #7

Yes, their basic certificate isr free.

From their FAQ:

Quote from: StartCom
90.) Why are Class 1 certificates free?
The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.

I'd suggest you have a look at their website: StartSSL™ Comparison Chart
turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 11, 2011, 04:32:59 PM
 #8

Yes, their basic certificate isr free.

From their FAQ:

Quote from: StartCom
90.) Why are Class 1 certificates free?
The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.

I'd suggest you have a look at their website: StartSSL™ Comparison Chart

I see that I don't think I really need the things that the free version doesn't offer. The only thing which I am in doubt is the validation level: what the class two or three comports than the class one?

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 11, 2011, 05:02:47 PM
 #9

The Class1 validation validates your domain name. (They do it by sending you a verification link to postmaster@yourdomain.com or a similar address.)
The Class2 validation validates your identity. (You have to send them a picture of your identity card).

Now, as far as encryption goes, I don't think there's a difference between the different classes.

DISCLAIMER: I haven't used any of their certificates myself. (Yet. Except their client certificate.)
Basiley
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 11, 2011, 07:21:18 PM
 #10

you can use SSL without a paid certificate. given the users trust your non-validated cert.
which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it.
thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.
turlando
Newbie
*
Offline Offline

Activity: 11



View Profile
June 12, 2011, 07:30:22 AM
 #11

you can use SSL without a paid certificate. given the users trust your non-validated cert.
which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it.
thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.
Do you suggest me StartSSL or another one else?

«The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.» --Douglas Adams about ZFS
WilliamJohnson
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 12, 2011, 09:14:05 AM
 #12

I think he was referring to self-signed certificates, which you can create yourself.
These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks).

StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).
Basiley
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 13, 2011, 03:23:13 AM
 #13

I think he was referring to self-signed certificates, which you can create yourself.
These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks).

StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).
yep.
but as long as typical hijacker, which is frequently feds/isp, can/might hijack you isp, he can mimic CA activity too, with help of altered browser binary update. there is no way to combat that, than enforce both IPv6 deployment/usage for any kind of mission-critical/society-critical/survival-critical intrastructure/network with enforced crypto and DNSSec too, while both isn't invulnerable, but step ahead.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!