httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Re: Low priced certificate?
Date Wed, 22 Jul 2009 13:09:25 GMT
Boyle Owen wrote:
...

> 
> It's worth remembering what a certificate is for; it is a document,
> undersigned by a third-party, that confirms that you are who you say you
> are. The third-party certificate signing authority is putting their
> reputation on the line and has a moral (even a legal) obligation to be
> certain you are bona fide.
> 
> A certificate is not some random obstacle that makes SSL websites pesky
> to set up - it is an essential security feature that protects web-users
> from fraud. So, of course it should cost you (as e-commerce operator)
> money and effort.
> 
> Trying to get a cheap cert for your site is like a bus company getting
> cheap tyres for their buses...
> 

While not contradicting the essence of the above, I would like to know 
something for my own edification, if some expert could comment.

We are a services company, and provide websites to select customers, for 
their own usage. We know these customers, they know us, and there are 
not thousands of them (merely hundreds).
We store information in these websites for those customers.  Sometimes 
this information is relatively private, for the customer.
(It is not however of the "top secret - defense" variety, nor banking 
etc...)

We would like to offer to our customers, the possibility of connecting 
to their websites using HTTPS instead of HTTP.
This is merely so that it would be harder for "foreign" people to easily 
intercept the data being exchanged between the webserver and the 
browsers of our customers.

It is my understanding that we could set up our own "certificate 
authority" (CA) and create our own server certificates.  A customer 
browser, upon the first connection, would pop up some message indicating 
that it cannot verify this certificate, and offering maybe to 
"authorise" our own CA as a valid one.  Once they did this, the popup 
would not happen again, and their communications with the website would 
be encrypted (which is the main point of the exercise).

I understand that, in case their DNS system is compromised, they could 
land onto another website pretending to be ours, and thus accept this 
other website certificate and CA.
But I consider this possibility as relatively unlikely, and easily 
detected by the customers themselves once they proceed. (*)

Is anything wrong with the above thinking ?

Thanks for comments.


(*) because each customer application is specific, and in order to fool 
a customer, the miscreant would haver to duplicate this application, the 
data etc..

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message