[PHP] Re: [Off] Cheap SSL certificates?
Brian Dunning wrote: I'm moving all my hosting to Rackspace, which means I'll need to buy all my own SSL certs. Does anyone have a favorite (cheap) source? I've found LiteSSL at $14.95/per. Thanks... I wouldn't consider cost of certificates, but rather, the reputation of the certification authority (CA). Some CAs don't even verify information at all. I will never trust CAs that do not verify the identity of their applicants, regardless of the cost. I trust GlobalSign because they will never issue any certificate without verifying the identity of the applicant. This procedure applies to their PersonalSign certificates as well. http://www.globalsign.net/ In any case, check the certification authority for their verification procedure. If they do verify the identity, ask them what they would accept as verification. Make sure the procedure used is one that would be least likely to produce a fraudulent certificate. Also ask about how long it takes for them to revoke a certificate, and the procedure(s) used to do so. This is very important to know in case your private key gets compromised. All in all, be cautious in selecting a certification authority to issue you a certificate. Remember that it's sometimes better paying more for a certificate from a truly trustworthy CA. - KJM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [Off] Cheap SSL certificates?
Jim Moseby wrote: Well said. If you're going to buy a $15 Cert from billy-joe-bob's CA and carwash, you might as well sign your own cert. Thats free... That might work in an intranet setting, but in an internet setting, you will get the security warnings. :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [Off] Cheap SSL certificates?
Richard Lynch wrote: And in the real world, where browsers just blindly chase down CAs and the basic Security Model is you pay us $200, and we make sure you are who you say you are, and then we trust you what real difference does it make? Users can remove untrustworthy CA certs from their browsers. There are certainly a zillion sites *I* do not trust that have high-priced CA-certified SSL certs... And Joe Sixpack and Betty Buick just look for the little lock symbol to be closed, and guage trustworthiness only on there being no popups warning them it's not secure, and that the site looks professional, and a brand-name on the logo/domain. That's why there are organizations like WebTrust - to perform audits as to how personal data is used. So, why exactly would I pay for a $200 background check on myself, when I already trust myself? Why not pay $70 for an SSL with no background check on myself, so long as it makes Joe Sixpack and Betty Buick happy, if it's got 99% ubiquity? As I said above, users may delete the CA cert from their browser. This means that the CA you pay $70 to would not be trusted - period. One day, many users will know the fact that the certificate should be checked before sensitive information is sent through the SSL connection. I'm often curious why exactly people think the SSL / CA system is so great, when it seems a whole lot like the Emporer's Clothes to me, or some kind of weird Ponzi scheme to line the pockets of a handful of companies, with very very very little added-value to the end user. It appears that you never applied for a certificate before, or applied for certs from CAs that don't verify information. Identification is extremerly important when it comes to knowing whether or not to trust the given public key. I am not trying to humiliate you, but you may want to study about cryptography and its use for the internet. I operate my own web/e-mail server (and have been doing so for some time), and so, I know how important it is to make sure a trustworthy CA signs a public key. Cheers, - KJM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: [Off] Cheap SSL certificates?
Rory Browne wrote: I operate my own web/e-mail server No offense, but so what? Do you think that makes you different from most people here, many of whom administrate web, email, database, dns, etc? You're on a technical list, and people who admin servers are the norm rather than the exeception. I'm sorry if that seems a bit blunt, but I thought the last reply was a bit arrogant. My last response was an attempt to be informative on the basis of my experience with digital certificates. I do understand that discrediting comments will be posted against me, and that I have a privilege to reply back to the comments. So, I replied back on Richard's message to say why I thought he was wrong, itemizing points just like you did. Regarding this SSL thread, my main point was: have your public key signed by the right CA. Doing so prepares the web server for the possible day when users finally decide to trust only certificates issued by a CA that does go through verification procedures. If one wants to believe my comments, that's fine. If one does not want to believe my comments, that's fine too. I learn from all comments just like everyone else does, and I understand that sometimes, I am wrong. :) - KJM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: secure logon php page
Barry wrote: Alain Roger wrote: Hi, I would like to write a secured logon page but i do not have any idea where to start... i've alreay setup my Apache server for using SSL, but what about the PHP code ? with or without cookie ? crypted or not ? You could also use digital certificates for authentication. I tried this with a shared host, but the host didn't have GlobalSign's CA certs installed, nor would they install the CA's certs. Yet, GlobalSign won't issue any certificate (except for demo certs) without identification from the applicants. If you were to authenticate with a GlobalSign Class 2 certificate, you'll need to install GlobalSign's Class 2 CA cert ( http://www.globalsign.net/ ). They should have instructions on their web site on how to get GlobalSign Certs installed onto Apache. This link may also help you, in case GlobalSign doesn't have instructions: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html Once you have installed a CA's certs into Apache, and you have a certificate issued by the CA's certs, you'll need to have Apache ask browsers to sign-in with a certificate: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient Once that is set up, set up a phpinfo.php script containing: ?php phpinfo(); ? and see if you find a client fingerprint in the phpinfo() output. The variable shown for the client fingerprint is perhaps the best way of authenticating without having the server ask for a password, because the public key fingerprint will always be unique. Even better, you will also be ready to implement the use of smartcards, if you're developing something for an enterprise. - KJM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP and Apache 2.2.0
Manuel Lemos wrote: I built PHP 5.1 with Apache 2.2 following these instructions and it works: http://ww.php.net/manual/en/install.unix.apache2.php Seems to work now... maybe Apache meant that the 2.0 vs. 2.2 module info was valid only for precompiled binaries... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP and Apache 2.2.0
Manuel Lemos wrote: Use the same as for Apache 2.0 . I get garbled code errors; tried it before I even posted to the list. Here's an excerpt from the Apache download page: Apache 2.2 add-in modules are not compatible with Apache 2.0 or 1.3 modules. If you are running third party add-in modules, you will need to obtain new modules written for Apache 2.2 from that third party before you attempt to upgrade from Apache 2.0. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP and Apache 2.2.0
Hello, I hope I am not repeating something that was discussed on this list before. I am curious to know if there are plans to make a module for Apache 2.2.0. I couldn't find it in the anonymous CVS, but if it's already there, can someone point to me where it is? - KJM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP and Apache 2.2.0
belia wrote: Hi, You can download at http://www.apachelounge.com/download/ I am using Linux, not Windows, so the content there will not work. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php