httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@six-group.com>
Subject RE: [users@httpd] Re: Low priced certificate?
Date Wed, 22 Jul 2009 13:26:29 GMT
> -----Original Message-----
> From: André Warnier [mailto:aw@ice-sa.com] 
> Sent: Wednesday, July 22, 2009 3:09 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Re: Low priced certificate?
> 
> 
> We are a services company, and provide websites to select 
> customers, for 
> their own usage. We know these customers, they know us, and there are 
> not thousands of them (merely hundreds).
> We store information in these websites for those customers.  
> Sometimes 
> this information is relatively private, for the customer.
> (It is not however of the "top secret - defense" variety, nor banking 
> etc...)
> 
> We would like to offer to our customers, the possibility of 
> connecting 
> to their websites using HTTPS instead of HTTP.
> This is merely so that it would be harder for "foreign" 
> people to easily 
> intercept the data being exchanged between the webserver and the 
> browsers of our customers.

If you have a "private" application (in the sense that server-owner and clients already know
each other and only want to encrypt traffic), then of course you can use a self-signed cert.
In this case you are getting encryption (protection from eavesdropping) but no authentication
(which you don't care about because you already know each other).

The cause of much of the confusion is the fact that SSL certs provide *two* functions; they
contain a key that allows you to set up an encrypted channel, but they also contain a document
that attests the ownership of the domain. This second feature is essential in an e-commerce
environment where the server and client are not known to each other a priori. 

If you were a shopkeeper and wanted to send your takings off to the bank, you might request
the bank to send round a security van. When the van arrives, would you check the driver's
credentials? Obviously you should in case some crooks were tapping your phone line and had
turned up first in a stolen van with fake uniforms. If you don't check the credentials, your
money will be safe in transit, but might not actually be going to the bank :-)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> 
> It is my understanding that we could set up our own "certificate 
> authority" (CA) and create our own server certificates.  A customer 
> browser, upon the first connection, would pop up some message 
> indicating 
> that it cannot verify this certificate, and offering maybe to 
> "authorise" our own CA as a valid one.  Once they did this, the popup 
> would not happen again, and their communications with the 
> website would 
> be encrypted (which is the main point of the exercise).
> 
> I understand that, in case their DNS system is compromised, 
> they could 
> land onto another website pretending to be ours, and thus accept this 
> other website certificate and CA.
> But I consider this possibility as relatively unlikely, and easily 
> detected by the customers themselves once they proceed. (*)
> 
> Is anything wrong with the above thinking ?
> 
> Thanks for comments.
> 
> 
> (*) because each customer application is specific, and in 
> order to fool 
> a customer, the miscreant would haver to duplicate this 
> application, the 
> data etc..
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. If you receive this message in error, please notify the
sender urgently and then immediately delete the message and any copies of it from your system.
Please also immediately destroy any hardcopies of the message. 
The sender's company reserves the right to monitor all e-mail communications through their
networks.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message