On 11/25/2013 10:36 AM, Mark Holberg wrote:
Gary,
Do you recommend an SSL be purchsed for every site? Or would
self-signed certificates be acceptable?
I'm perfectly happy using self-signed certificates. Or more accurately,
I create a self signed CA for my own usage and use it to sign all the
certificates I use on my sites.
It depends entirely on your use case. I use SSL to protect the admin
section of my Joomla sites and for any site management id's I use a
simple system plugin so that all users in that group get redirected to
the SSL site.
My personal concern is that I use my laptop everywhere I go. I logon to
check my e-mail, make changes to website configurations, etc. Ever
since Firesheep was released back in 2010,
http://codebutler.com/firesheep/ it has gone from 'possible but requires
some work' for anyone else on the public wifi to 'steal' your logon
session to 'ridiculously easy'. Personally I found that a good thing -
it's not like firesheep was some new hacking method, it was just a tool
that made it simple for anyone.
Since I'm using SSL solely to prevent theft of user credentials on wifi
networks - I am perfectly content to tell people "you have to add an
exception to use SSL, and all your admins need to do so".
If I was building an ecommerce site for someone else....well, I'd still
recommend self signed certificates. I find the "protection" offered by
the various SSL authorities to be a complete joke[they don't seem to
really do anything to actually verify identity] - and most small
ecommerce sites end up having their certificate expire and not get
renewed anyway - without having an appreciable impact on their sales.
So why bother paying a lot of money for an SSL certificate?
But I would at least give the client a heads up that not using a
purchased certificate /might/ affect their conversion rates. They only
need to use the SSL cert for the checkout process, everywhere else they
can use straight http.
With SSL your really at the mercy of the creator of your web browser
anyway. Google could, for example, provide a false SSL certificate for
/any/ website which would appear valid. The same can be said for
Microsoft, Opera, and Mozilla. [And case in point, Nokia actually DOES
do this. In order to allow them to cache and compress data from
websites being sent to their customers browsers on their cell phones -
Nokia used their root CA to create fake SSL certificates for https
sites. See https://www.grc.com/fingerprints.htm for fun details]
_______________________________________________
New York PHP SIG: Joomla! Mailing List
http://lists.nyphp.org/mailman/listinfo/joomla
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
