Bitcoin Forum
December 18, 2017, 06:47:13 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Poll
Question: Do you require a site to have a commercial SSL to buy?  (Voting closed: July 29, 2013, 12:03:29 PM)
commercial is a must - 5 (55.6%)
self signed is acceptible - 2 (22.2%)
want, but either is ok - 2 (22.2%)
don't require - 0 (0%)
Total Voters: 9

Pages: [1]
  Print  
Author Topic: self ssl certificate vs commerically issued- your thoughts as a buyer?  (Read 711 times)
David-M
Member
**
Offline Offline

Activity: 105



View Profile WWW
July 25, 2013, 12:03:29 PM
 #1

I recently added accepting bitcoin on one of my sites using bitpay. Since the transaction happens over at the bitpay site, I needed to secure is the API data sent behind the scenes. Therefore I used a self signed SSL certificate. The only personal information recorded on the site is a signup email.

As bitcoin users, is this an acceptable level of security to you? Or do you require SSL on the whole site? Does it have to be a commercial SSL?

David

1513622833
Hero Member
*
Offline Offline

Posts: 1513622833

View Profile Personal Message (Offline)

Ignore
1513622833
Reply with quote  #2

1513622833
Report to moderator
1513622833
Hero Member
*
Offline Offline

Posts: 1513622833

View Profile Personal Message (Offline)

Ignore
1513622833
Reply with quote  #2

1513622833
Report to moderator
1513622833
Hero Member
*
Offline Offline

Posts: 1513622833

View Profile Personal Message (Offline)

Ignore
1513622833
Reply with quote  #2

1513622833
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513622833
Hero Member
*
Offline Offline

Posts: 1513622833

View Profile Personal Message (Offline)

Ignore
1513622833
Reply with quote  #2

1513622833
Report to moderator
1513622833
Hero Member
*
Offline Offline

Posts: 1513622833

View Profile Personal Message (Offline)

Ignore
1513622833
Reply with quote  #2

1513622833
Report to moderator
CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
July 25, 2013, 12:09:06 PM
 #2

I expect that a lot of people would be put off by a "self-signed" certificate just because it seems a bit "too cheap" (even if they weren't worried about the lack of any CA trust-chain).

It really doesn't cost very much to get a cert that is issued so why not spend the money (or are you wanting to make a statement)?

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
OnkelPaul
Legendary
*
Offline Offline

Activity: 1045



View Profile
July 25, 2013, 12:11:53 PM
 #3

Self-signed provides security against network sniffers but unless your users import the certificate into their browser from a secure source they could be subject to a man-in-the-middle attack.
Commercially issued certificates are quite a bit better because they are always traceable back to a root certificate - MitM attacks are much more difficult for ordinary criminals, although I think there have been cases where criminal governments have compromised CAs to obtain fake root certificates for such purposes.
As a buyer, I would be a bit uneasy when a site uses a self-signed certificate and switches between http and https "arbitrarily". Those sites that use https only for the payment pages typically state that very clearly to avoid confusion.

Onkel Paul

David-M
Member
**
Offline Offline

Activity: 105



View Profile WWW
July 25, 2013, 02:06:42 PM
 #4

I've only used commercial ssl in the past, but since this wasnt going to be browser based, thought self signed may be sufficient. I state on the signup page that users can switch to the ssl version and accept the certificate if they wish.

Quote
(or are you wanting to make a statement)?
I thought about that too.

David

CIYAM
Legendary
*
Offline Offline

Activity: 1862


Ian Knowles - CIYAM Lead Developer


View Profile WWW
July 25, 2013, 02:12:52 PM
 #5

I thought about that too.

As an alternative to the whole "cert" system I am using GPG and client-side encryption but the problem with using anything "non-standard" is that your audience gets severely reduced (so I now offer more traditional sign-ups for CIYAM Open as well and very few users are using the GPG sign-up).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
K1773R
Legendary
*
Offline Offline

Activity: 1694


/dev/null


View Profile
July 25, 2013, 02:37:59 PM
 #6

self signed as the CAs cant be trusted, their keys can be stolen, inside jobs, etc. but the self signed cert should be signed with the guys known GPG key to validate it Smiley therefore not even the CAs can break it  Cool

EDIT: this might also be of interest for u: http://convergence.io/

[GPG Public Key]  [Devcoin Builds]  [BBQCoin Builds]  [Multichain Blockexplorer]  [Multichain Blockexplorer - PoS Coins]  [Ufasoft Miner Linux Builds]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
OnkelPaul
Legendary
*
Offline Offline

Activity: 1045



View Profile
July 25, 2013, 03:16:44 PM
 #7

Self signed with GPG key is good but depends on two non-trivial assumptions:
- GPG key of the site's operator is known and trusted
- customer knows how to use GPG in the first place.

Onkel Paul

BitcoinFX
Legendary
*
Offline Offline

Activity: 1512


youtu.be/3kqLVeP7iHA


View Profile WWW
July 25, 2013, 04:00:11 PM
 #8

self signed as the CAs cant be trusted, their keys can be stolen, inside jobs, etc. but the self signed cert should be signed with the guys known GPG key to validate it Smiley therefore not even the CAs can break it  Cool

EDIT: this might also be of interest for u: http://convergence.io/

You could always get your "Self-Signed" SSL Cert. Signed for free at CAcert.org At least they have a 4096 bit Root Cert.

Example: http://xeronet.primeoptic.net/about-ssl.php

Convergence.io is really great! Everyone should watch Moxie's presentation - It's brilliant:

BlackHat USA 2011: SSL And The Future Of Authenticity - https://www.youtube.com/watch?feature=player_embedded&v=Z7Wl2FW2TcA

 Cheesy

"The industry of the integrated spectacle and immaterial command owes me (us all) money." - We do not Forgive. We do not Forget. Expect Revolution! for we are all Satoshi now? - youtu.be/G7Z8MMk45U0 - "the multiple and the multiplex!" - Mostly AWOL Hunting SNARKS ... youtu.be/Yc18hhM6gUc?t=4m27s - "Beware of Boojum's"!
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!