turlando (OP)
|
|
June 11, 2011, 03:29:26 PM |
|
Hi there, I'm writing the code for a pool but I am sure that some informations need to transfer in a secure connection with the server. Most pools use an SSL certificate to make the connection secure: how much could it cost? Initially I thought that I could use javacript to encrypt with sha2 the password field in the form before sending it to the server, but there are other informations that I can't send in encrypted form, as the bitcoin address of every user. So I found this but I am not very convinced about that. There other ways? Which is the best? Thanks, turlando.
|
|
|
|
WilliamJohnson
Newbie
Offline
Activity: 47
Merit: 0
|
|
June 11, 2011, 03:49:45 PM |
|
It depends on where you decide to buy your certificate. StartSSL ( http://www.startssl.com/) delivers free SSL certificates. Their root CA certificate is accepted by all browsers, as far as I know. Their cheapest paid-for certificate costs $60 and is valid for 2 years. (It's not that expensive IMHO)
|
|
|
|
turlando (OP)
|
|
June 11, 2011, 03:55:13 PM |
|
Like self-signed certificate? And so completely useless?
|
|
|
|
WilliamJohnson
Newbie
Offline
Activity: 47
Merit: 0
|
|
June 11, 2011, 03:59:00 PM |
|
Nope, they sign it. They're a Certification Authority.
|
|
|
|
hamdi
|
|
June 11, 2011, 04:02:03 PM |
|
you can use SSL without a paid certificate. given the users trust your non-validated cert.
|
|
|
|
turlando (OP)
|
|
June 11, 2011, 04:11:52 PM |
|
Nope, they sign it. They're a Certification Authority.
For free? I don't know so much about certificates.
|
|
|
|
WilliamJohnson
Newbie
Offline
Activity: 47
Merit: 0
|
|
June 11, 2011, 04:18:20 PM |
|
Yes, their basic certificate isr free. From their FAQ: 90.) Why are Class 1 certificates free? The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry. I'd suggest you have a look at their website: StartSSL™ Comparison Chart
|
|
|
|
turlando (OP)
|
|
June 11, 2011, 04:32:59 PM |
|
Yes, their basic certificate isr free. From their FAQ: 90.) Why are Class 1 certificates free? The philosophy of StartCom is guided by the principal that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry. I'd suggest you have a look at their website: StartSSL™ Comparison ChartI see that I don't think I really need the things that the free version doesn't offer. The only thing which I am in doubt is the validation level: what the class two or three comports than the class one?
|
|
|
|
WilliamJohnson
Newbie
Offline
Activity: 47
Merit: 0
|
|
June 11, 2011, 05:02:47 PM |
|
The Class1 validation validates your domain name. (They do it by sending you a verification link to postmaster@yourdomain.com or a similar address.) The Class2 validation validates your identity. (You have to send them a picture of your identity card). Now, as far as encryption goes, I don't think there's a difference between the different classes. DISCLAIMER: I haven't used any of their certificates myself. (Yet. Except their client certificate.)
|
|
|
|
Basiley
Newbie
Offline
Activity: 42
Merit: 0
|
|
June 11, 2011, 07:21:18 PM |
|
you can use SSL without a paid certificate. given the users trust your non-validated cert.
which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it. thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate.
|
|
|
|
turlando (OP)
|
|
June 12, 2011, 07:30:22 AM Last edit: June 12, 2011, 02:50:07 PM by turlando |
|
you can use SSL without a paid certificate. given the users trust your non-validated cert.
which make everything you do, useless, because someone can [for example. not only one]can intercept/proxy you traffic, redirecting it. thats why/how signing/PKA/PCS work and WHY you actually NEED "paid" certificate. Do you suggest me StartSSL or another one else?
|
|
|
|
WilliamJohnson
Newbie
Offline
Activity: 47
Merit: 0
|
|
June 12, 2011, 09:14:05 AM |
|
I think he was referring to self-signed certificates, which you can create yourself. These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks). StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks).
|
|
|
|
Basiley
Newbie
Offline
Activity: 42
Merit: 0
|
|
June 13, 2011, 03:23:13 AM |
|
I think he was referring to self-signed certificates, which you can create yourself. These certificates causes your browser to display a warning (and Firefox warning is pretty dissuasive), because they aren't secure (they're vulnerable to man-in-the-middle attacks). StartSSL "class 1" certificates, albeit free, are signed by a Certification Authority (StartCom), and display no warning in your Web-browser. (They aren't vulnerable to man-in-the-middle attacks). yep. but as long as typical hijacker, which is frequently feds/isp, can/might hijack you isp, he can mimic CA activity too, with help of altered browser binary update. there is no way to combat that, than enforce both IPv6 deployment/usage for any kind of mission-critical/society-critical/survival-critical intrastructure/network with enforced crypto and DNSSec too, while both isn't invulnerable, but step ahead.
|
|
|
|
|