ssl and self certs

[kpzani]

I have set up ssl and just want to check something. I have generated my own certificate. does this make my ssl less secure than someone who bought a cert.

It's only for my use really - I'm just curious.

[jasonlambert]

no, it doesnt make it any less or more secure.

All it means is that when a client browser uses SSL on your site, they will be informed that the certificate is not valid, but the communications will still be encrypted.

[kpzani]

Thanks for that. So could someone pretend to be me? Why should I buy a cert what is the benefit?

[rzilavec]

You are paying for the trusted root CA signature... no warnings pop up when somebody enters your site. Since you have signed your own cert I would get a warning of this when I enter your site.

Richard

[kpzani]

So what is the purpose of the trusted root Certificate Authority? Are they simply a group of companies who have negotiated with some one (?) to have their certificate automatically installed into various software apps.

While I understand the principles behind certificates and can see the benefits of their use in an enterpise setup. I can't quite get my head around this pay for a certificate bit.

[rzilavec]

When I use online banking.. the certificate returned from my bank's webserver validates the site for me. This way I know I'm at the real bank and not visiting a hacked site. Just an example of why....

Your browser contains a list of trusted CAs and if you wish you can add yours to it.

I think most companies use self-signed certs for internal traffic... and zone to zone traffic. But for internet facing traffic Root CA signed certificates are a must.... at least I think so.

Richard

[Giro]

But for internet facing traffic Root CA signed certificates are a must.... at least I think so.

Richard

Not really if it just a secure channel for you and your freinds then no dont pay the cash, But if the site takes credit details the yes its a good idea.

[rzilavec]

But for internet facing traffic Root CA signed certificates are a must.... at least I think so.

Richard

Not really if it just a secure channel for you and your freinds then no dont pay the cash, But if the site takes credit details the yes its a good idea.

You cropped out the import part...

'most companies use self-signed certs for internal traffic... and zone to zone traffic. But for internet '

This comment was for ebusiness traffic....

I agree, for personal stuff .... self-signed all the way.

Richard

[kpzani]

Obviously this isn't very important but I'm just trying to get some stuff straight in my head.

So a root CA issues a cert to someonelse. They have paid for this service and the browser manufacturer has included a list of all root CAs that it likes/knows/agrees with.

When I browse the site my browser looks at the cert and then verifies it with the issuer. Is this correct? So the only difference with this to any other setup is the fact that someone else has issued the cert and this company is listed in my browser's trusted CAs.

It just seems a little flawed. The SSL and cert part seems good but this trusted CA stuff seems to be the illusion of security - like 4 digit passwords or seatbelts on airplanes!

Anyway, cheers for all the info. Maybe I should go read some of those RFCs and the like and see what I can dig up.