Bitcoin Forum
December 13, 2024, 09:35:57 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Self signed certificate at glbse.com  (Read 967 times)
KenJackson (OP)
Full Member
***
Offline Offline

Activity: 127
Merit: 100



View Profile
June 30, 2011, 12:25:31 AM
 #1

I've been surfing around looking at different bitcoin sites and 
one I've seen is a link to is the GLobal Bitcoin Stock Exchange.

But when I click on it, I get this:

Quote
This Connection is Untrusted
You have asked Firefox to connect securely to glbse.com,
but we can't confirm that your connection is secure.
...
The certificate is not trusted because it is self-signed.

What's the deal?  Why don't they have a legitimate certificate?
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1060


View Profile
June 30, 2011, 11:23:54 AM
 #2

What's the deal?  Why don't they have a legitimate certificate?

Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.

The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.

Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.
Arxan
Newbie
*
Offline Offline

Activity: 11
Merit: 0


View Profile
June 30, 2011, 11:28:50 AM
 #3

What's the deal?  Why don't they have a legitimate certificate?

Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.

The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.

Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.

and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert.  I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok.
JeroenV1990
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile
June 30, 2011, 11:31:06 AM
 #4

Seems ok, you can always do a WHOIS(WHO-IS).
abtcus
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
June 30, 2011, 12:32:38 PM
 #5

What's the deal?  Why don't they have a legitimate certificate?

Oh, a self-signed certificate is perfectly legitimate. It actually provides better privacy than a purchased certificate.

The only thing a self-signed certificate doesn't provide is any assurance that a third party has confirmed the identity of the website. But you can obtain that assurance yourself by reading around this forum.

Unfortunately, the browser message is very frighteningly-worded. Which is just how the sellers of commercial certificates like it.

This is only partly correct. While you can generally trust a self signed certificate to establish an ssl connection, haphazardly allowing the self signed paypa1.com to get the immediate go-ahead from a browser is a terrible idea. The warning pages are essentially asking users: are you sure you know what you are about to fucking do? If anything, browsers are too lax towards established certificated authorities.
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1060


View Profile
June 30, 2011, 01:55:38 PM
 #6

... and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert...
True enough. But how do you conveniently distinguish between a legitimate purchased cert and a cert that was sold to the CIA by a compliant cert-issuer?

I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok.
Fair enough.

Anyway, regardless of the technical issues, a service will not be commercially successful if it causes the browser to display frightening messages.
KenJackson (OP)
Full Member
***
Offline Offline

Activity: 127
Merit: 100



View Profile
June 30, 2011, 04:45:26 PM
 #7

I appreciate everyone's input.

And I think there is an additional point.  Any company that wants to do any amount of business with the public can't remain anonymous.

If we assume that this company wants to do business with the public and to grow its market share and to be respected and trusted--then it MUST have a chain of trust backing up it's website certificate.  And it MUST NOT be anonymous.

But back to my question, I wonder if they don't understand this, if there is some temporary problem they're working on, or if they have some lurking ill-intent.

alfred
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile WWW
July 22, 2011, 03:51:59 AM
 #8

I really think they should get a proper cert. That browser warning makes me think the site has been compromised.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!