Colin Guthrie wrote:
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble:
Please enlighten me why it is so expensive? Is it maybe just the
setting it up?
The whole thing is about trust. Getting a certificate is nothing if the
system is not backed up by a trust system. If a CA was setup that gave
out certificates willy nilly to all and sundry, then this element of
trust is lost.
Cheap CA's do exist. They have crappy web sites and send you all kinds
of junk mail etc. if you use them - but they do exist.
I might end up just paying godaddy - I think they charge $12.00 / year,
but since I already register through them, they already have my address etc.
But the problem I have with FF3 is that I shouldn't have to.
I don't need to prove to the user that I am really me, and I don't want
to use a cert that some other organization has control over and can
choose to revoke at any time. I just the flipping password encrypted by
SSL so that when Betty who uses the same password for everything (it's
amazing how many people do) logs onto my server while she has coffee at
Starbucks, her uname/password isn't sniffed giving Cracker Jack access
to Betty's PayPal account.
If Cracker Jack wants to do a man in the middle attack - as long as
Betty has already connected to me before, her browser will still inform
her that the certificate doesn't match - whether or not I am self
signed, so the man in the middle attack is really not the big deal
FireFox makes it out to be.
What they should do is a simple notification telling the user they can't
verify the website is who it claims to be, and a link for more info if
the user wants more info.
But alas, that has nothing to do with php, so I apologize to the list.
Anyway, back on topic - if you want to encrypt login, use SSL.
You can self sign for free.
If you don't want the FireFox 3 issue, there are a few free and plenty
of cheap certificate authorties that FireFox recognizes.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php