GoDaddy Gossip


#1

Apparently GoDaddy let their SSL cert expire today.

Whoops!

Wholly - Use promo code WhollyMindless for discount.


#2

Whoops!

Then again, they at least have their own cert. I for one think it would be great for Dreamhost to become a certificate authority. I think they’d be able to provide good value with better service than the daddy.

extra domains and the new maximum $50 off with codes [color=#CC0000]1DOM50, 2DOM50 and 3DOM50[/color]. More Dreamhost coupons


#3

Does anybody have any idea about the cost to have SSL cert? I’ve seen some websites that are big but still let the cert expire.

$50 off and 3 free domains with code: [color=#CC0000]DH3[/color] Sign Up NOW or More Codes Here


#4

Certs go for between $19.95 a year up to $995 a year and up. Dreamhost offers them for $99.95 a year. I thought these were Geotrust certs but this is cheaper than you can get them from Geotrust themselves ($250/year), so I don’t know the full scoop.

extra domains and the new maximum $50 off with codes [color=#CC0000]1DOM50, 2DOM50 and 3DOM50[/color]. More Dreamhost coupons


#5

Btw, what’s the benefit of using this certificate thing ?

TTL
Dreamhost coupon code for 600 GB space with $50 off plus 1 extra lifetime domain => [color=#00CC00]CHRISTMAS2007[/color] promo code
[color=#00CC00]SIGN UP NOW !![/color]


#6

You need to purchase an SSL certificate in order to have your website accessible using the https protocol, which will provide secure, encrypted communications between the browser and your web server. Users can be positive that they are reaching the real web server for your site and that any communication they have with that web server is encrypted. The latter is important because even if any sensitive data flowing between the browser and your web server is intercepted by an intermediate host, that data can’t be used/understood. This keeps sensitive information like credit card information secure.

Here are some articles on the subject:
http://wiki.dreamhost.com/SSL
http://wiki.dreamhost.com/KB_/Account_Control_Panel/Goodies::_Secure_Server
http://en.wikipedia.org/wiki/Https

extra domains and the new maximum $50 off with codes [color=#CC0000]1DOM50, 2DOM50 and 3DOM50[/color]. More Dreamhost coupons


#7

Good links, but

is not precisely correct. Emphasis on purchase is mine. If you’re selling something or have some other commercial purpose, then almost certainly you want to purchase a cert from a well known(ie well supported in browsers) Authority.

But if you just want https for the extra security of encryption, then you can stick with self certification(aka $$ free). Yes, for those thinking “Free!”, be forewarned that clients will get a pop-up warning that your cert is not recognized as a legitimate authority. Depending upon your use, this behavior may be just fine. (And you can accept the cert and not be bothered with future warnings.)

Despite the wide open nature of shared hosting, I like having the option of SSL with a couple of services I run(paying for the fixed IP is enough – not worth a commercial cert for me). I mention all this only for others that may feel similarly and were unawares…


jt


#8

Good point. I had originally considered explaining the pros and cons of self-signed certs for debugging and partial security (you get encryption but don’t necessarily have the assurance that you’re actually talking to your server) for whatever personal purposes. I figured the question was addressed at non-personal use of SSL, which in practice does require the purchase of a certificate issued by a certificate authority.

I think this edge case is particularly rare given that you have to pay $47.40 a year for your unique IP but aren’t willing to pay the $19.95/yr for the crappiest legitimate cert. I am personally interested in it so I’d be up for hearing about the use cases!

extra domains and the new maximum $50 off with codes [color=#CC0000]1DOM50, 2DOM50 and 3DOM50[/color]. More Dreamhost coupons


#9

Well, forgive me for extending the thread into details many perhaps do not need BUT,

could be a little misleading to some. Assurances that you’re talking to your server? No different client behavior between a personal/private cert and a commercial cert here. At least after the first time you’ve accepted that personal cert. If the IP changes, you’ll be warned.

As for further use cases – beyond providing encryption for any data you might upload to a particular service(calendar, intranet, finance mgmt, etc…)?? Since I’m guessing you know better(as a regular contributor to DH forums and it seems to me a somewhat savvy IT user), forgive me if I sound pedantic as I get on a pedestal…

Never trust your network. Sure if you’re at home and you’re confident your control over that network is “perfect” or you don’t care if some sniffer/snooper can see your date plans for the weekend, that’s one thing. But you might want to get into the habit of treating even those bits securely so you don’t have to think about it when out on a network you don’t control(like the coffeehouse, school, work, etc…). Especially if you’ve setup personal intranets or other services that may contain sensitive information. Though I’ve already alluded to the fact that in the end, you are putting your trust in the guys and gals of DH(even if you’re paranoid enough to encrypt your data repositories).

Coming back to the issue of purchasing a personal vs commercial cert, it is again important to understand the real purpose behind a commercial cert. It[commercial] does not increase line/IP security per se but serves to vouch that you are who you say you are. Even at a cheap $19.95/yr, I have no need for such a service for myself or those who personally know me. The same goes for internal small biz services. Not necessary. Remember, you can accept the personal cert and not be bothered by pop-ups unless something on the line changes(web server, IP).

I don’t doubt this has been an incomplete discussion of the issues around HTTPS certs here, so for those interested in more info, I encourage you seek out additional info.


jt


#10

No need to apologize, I just originally wanted to structure the explanation to provide the first-order approximation first and then later allow us to go into further explanations of how what we were saying isn’t always 100% accurate. I feel we’re doing that part now, which is great! (BTW, this is all based on feedback I got at some 360 degree review at work about ten years ago, so please do feel free to comment on whether you think it’s effective or not!)

It’s my understanding that commercial certificates validate their issuer back to some set of root certificate authorities that are initially set by “the browser”. So when Firefox installs, it installs with some set of root authorities that are used to validate each site’s certificate chain. It was my understanding that when your site presents a valid commercial certificate, the browser checks to make sure that the site that’s presenting the cert matches the site of the certificate and that the issuing authority is either a root authority or an authorized issuer through some levels of indirection (signing). This process ensures that you are in fact communicating with the “real” site and that communication to that site is “end-to-end” secure, where we define end-to-end as browser process to web server process.

When your site presents a self-signed certificate, most browsers will alert you that the certificate is fishy because it was not issued by a recognized authority. This is because anyone can set up a site and issue a self-signed certificate with that site name. This is why I said that such certificates are really only useful in “personal” situations where you’re not really worried about the authenticity of the server but just concerned about data encryption.

Short of someone stealing a commercial certificate or otherwise compromising the chain of trust, or by compromising your browser in some dastardly way, I’ll go ahead and assert that you can, in fact, be assured of end-to-end security through the use of commercial certificates.

Actually, rereading your post I find it confusing that on the one hand you say: “Assurances that you’re talking to your server? No different client behavior between a personal/private cert and a commercial cert here.” and on the other hand you say: “It[commercial] does not increase line/IP security per se but serves to vouch that you are who you say you are.” I meant to convey that a properly installed commercial certificate assures users of your site that they are in fact connecting with the actual site and not some imposter site.

extra domains and the new maximum $50 off with codes [color=#CC0000]1DOM50, 2DOM50 and 3DOM50[/color]. More Dreamhost coupons


#11

Yep, I understood what you were saying. It seems I was less than clear in my reply. I’m saying that your personally signed cert will work much the same way for line security. Those man-in-the-middle attacks? I will still get a browser warning if say, someone tries to impersonate my domain. Does not matter that I didn’t use a third party certificate.

Is that any clearer?

To oversimplify, I’ll go out on a limb again and just repeat: Unless it’s for commercial purposes and the clients/browsers connecting don’t know/trust you personally, I don’t bother with a commercial cert though I might use HTTPS. All should keep that option in mind.


jt


#12

What I’m saying is that:

  1. When you use a commercial cert, your visitors will not get a browser warning about the cert.
  2. When you use a self-signed cert, your visitors will get a browser warning about the cert.
  3. Using a commercial cert, visitors are assured that they are connecting to the real site.
  4. Using a self-signed cert, you have to otherwise be able to securely transmit and install the presented certificate to browser clients in order to be assured that the site is what it says it is.

I’m pretty sure that we both understand exactly what is going on, I think we’re just disagreeing on exactly the words we use to describe that situation. About two posts back I said that self-signed certs were only really useful for personal use. You just said “Unless it’s for commercial purposes and the clients/browsers connecting don’t know/trust you personally, I don’t bother with a commercial cert though I might use HTTPS.”.

extra domains and the new maximum $50 off with codes [color=#CC0000]1DOM50, 2DOM50 and 3DOM50[/color]. More Dreamhost coupons


#13

Yep! It’s all in “how you say it”. :wink:

There are “commercial purposes” for which I find a self-signed cert to be acceptable - for instance, data exchange with known vendor who actually knows more about your company than the “certifying” authority is likely to know.

To me, the security provided by the TLS/SSL process is often at least as important as having a “certificate authority” vouch for the “identity” of the entity offering the cert, but that can vary greatly depending upon the use - and I think that is at least part of what seniorjt is trying to say.

–rlparker


#14

I agree completely that self-signed certs have their purposes and are very convenient and usually sufficient for most non-commercial purposes (and as you say, rlparker, some commercial purposes as well).

I think the whole thing went awry with the pendantic argument about the exact differences between the assurances that a commercial cert vs. a self-signed cert will be able to provide.

I do agree 100% that people should consider self-signed certs for non-commercial and many non-critical uses. The $50 annual charge for a unique IP address is a bit of a downer. Do we really have to pay that for every domain?

extra domains and the new maximum $50 off with codes [color=#CC0000]1DOM50, 2DOM50 and 3DOM50[/color]. More Dreamhost coupons


#15

DreamHost has repeatedly insisted that a unique IP address is required, and the question has been asked quite often (and a few “workarounds” attempted). \

As for the charge, I suspect that it could, at some point, be subject to market forces and all but, being that “unique IP addresses” are a “limited resource”, I’d bet that prices for providing them are more likely to stay the same, or even escalate, than they are likely to go don. :wink:

Not to wander too far “off topic”, but to just share a thought: I’ve considered using a “single” Unique IP address" for a “third party” type site (another domain I own that could be used for this purpose) to share TLS/SSL processing for multiple sites … but then those whole issue of the users’ “same site” perception of who they are dealing with comes into play. I’m concerned it will “worry” consumers, so I have not actually implemented such a plan.

I guess, at the end of the day, for anyone doing e-commerce who needs TLS/SSL, $50.00 a year for the IP address shouldn’t really be a “deal breaker” (any more than the cost of a certificate should be). The cost of the cert and the unique IP address might be “irritating”, but the economics of the scenario should cover the expense of using them.

–rlparker


#16

I think the things we’ve seen as far as third-party payment mechanisms and third-party authentication mechanisms do point to something of an alternative.

And what about IPv6? Maybe unique IP prices will start going down 10 or 20 years from now. :slight_smile:

extra domains and the new maximum $50 off with codes [color=#CC0000]1DOM50, 2DOM50 and 3DOM50[/color]. More Dreamhost coupons


#17

Well that’s certainly possible … “10 or 20 years from” now who knows what the “Internet” will even look like? :wink:

–rlparker


#18

All it takes are another period and a few more digits, and the supply is virtually unlimited. They should be cheaper than domain names.

Somebody around here does that already…

Oh yeah webmail…

Could not verify this certificate because the issuer is not trusted.

Issued To
Common Name: webmail.dreamhost.com
Organization: New Dream Network, LLC
Organizational Unit: Webmail.DreamHost.com
Serial Number: 00

Issued By
Common Name: webmail.dreamhost.com
Organization: New Dream Network, LLC
Organizational Unit: Webmail.DreamHost.com

Validity
Issued On: 3/7/2002
Expires On: 3/2/2022

Fingerprints


#19

True enough.

You’d think so,wouldn’t you? I think it’s more the allocation system that is the limiting factor now… and I don’t know how easily that is likely to be changed. :wink:

Of course they do! :wink:

–rlparker


#20

Wow, that thread took off.

Wholly - Use promo code WhollyMindless for discount.