SSL certificate provider
-
SSL Certificates is used for 2 things: 1) Encryption of the traffic between the client and the server, even the headers are encrypted which is why a webserver can only run a single SSL site (it can not look at the header and see which domainname is requested) 2) Prove that the website is the real one... You can always look at a certificate, when visiting a site, and see who it is issued to. The issuer makes quite some work to confirm that they only issue a certificate to the "real company" and not someone trying to pretend to be you and then cheating customers... The "identity trust" certificates are the expensive ones, and until lately the only one you cound get... Lately godaddy has started offering certificates for encryption only, they are way cheaper as they don't have to make sure that you really is you... Both types gives the same encryption, but not the same trust ;) - Anders Bill's Bar
My PhotosWDevs - The worlds first DSP, free blog space, email and more. Now also with forums :)
Hi Anders, Thanks for the answer. Are you absolutely sure that a webserver can run only one SSL site ? As far as I recall, the certificate is defined per website - but I might be wrong. Also, it appears to be a very "expensive" limitation of the setup, as you would need one physical server per certificate installed. Or am I missing something here... :) Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert
-
Hi Anders, Thanks for the answer. Are you absolutely sure that a webserver can run only one SSL site ? As far as I recall, the certificate is defined per website - but I might be wrong. Also, it appears to be a very "expensive" limitation of the setup, as you would need one physical server per certificate installed. Or am I missing something here... :) Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert
Actually, you are limited to one SSL per IP. You can handle hundreds per server as long as they each have their own IP. Since the headers are encrypted, you cannot see the header to use a multi-homed server on a single IP. So, you only need to have your ISP give you a new IP address for each SSL site. Rocky <>< Mozilla/Firefox Crushing IE's Lead![^]
-
Hi, We're developing a website for a customer that requires a https connection. I don't know much about the SSL-game at all, but have discovered that a such certificate can be issued by several different authorities. For instance, the main phone service provider in Denmark charges $800 for a certificate valid for two years, whereas e.g. ssl.com offers a three year certificate for $619. Quite a difference, half the price.... What should we consider when choosing between these providers ? Price is one issue here, but given that we can talk the customer into paying for the most expensive solution - then what matters ? You get to use different "trusted by"-logos of which nobody hardly knows anything besides the one from Verisign, you'll get different levels of support if you can't get things working. Talking about Verisign - they offer a 40 bit certificate valid for two years for $598 and a 128 bit certificate (two years as well) for $1595.... Please let me know what you think about this. Should we go for the cheapest solution ? How many bits is considered a "minimum" ? What does it take for a company to be able to issue such certificates ? What is one really guaranteed when using a https connection? Any thoughts are most welcome. Thanks in advance guys 'n' gals. /Jan Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert
Oh yeah, I forgot to mention in the other post: http://freessl.com/[^] Rocky <>< Mozilla/Firefox Crushing IE's Lead![^]
-
Actually, you are limited to one SSL per IP. You can handle hundreds per server as long as they each have their own IP. Since the headers are encrypted, you cannot see the header to use a multi-homed server on a single IP. So, you only need to have your ISP give you a new IP address for each SSL site. Rocky <>< Mozilla/Firefox Crushing IE's Lead![^]
OK - so then it should be possible to run your IIS with two IP's. One for unsecure websited differentiated per host header - and install the certificate on the other IP and use that IP for all sites that need secure connections. After decryption of the headers, the IIS would then in turn be able to differentiate on the host header again ? Websites |- site A (IP: 1.2.3.4, host header www.a.com, not secure) |- site B (IP: 1.2.3.4, host header www.b.com, not secure) |- site C (IP: 1.2.3.5, host header www.c.com, secure) |- site D (IP: 1.2.3.5, host header www.d.com, secure) Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert
-
OK - so then it should be possible to run your IIS with two IP's. One for unsecure websited differentiated per host header - and install the certificate on the other IP and use that IP for all sites that need secure connections. After decryption of the headers, the IIS would then in turn be able to differentiate on the host header again ? Websites |- site A (IP: 1.2.3.4, host header www.a.com, not secure) |- site B (IP: 1.2.3.4, host header www.b.com, not secure) |- site C (IP: 1.2.3.5, host header www.c.com, secure) |- site D (IP: 1.2.3.5, host header www.d.com, secure) Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert
No, only one website using SSL on each IP addr. The point is that IIS can not decrypt the headers and see the hostname before it knows which certificate to use, thats why you can only have one site per ip when suing SSL... - Anders Bill's Bar
My PhotosWDevs - The worlds first DSP, free blog space, email and more. Now also with forums :)
-
No, only one website using SSL on each IP addr. The point is that IIS can not decrypt the headers and see the hostname before it knows which certificate to use, thats why you can only have one site per ip when suing SSL... - Anders Bill's Bar
My PhotosWDevs - The worlds first DSP, free blog space, email and more. Now also with forums :)
Alright, I'm obviously not at full speed today :zzz:. I'll try again - and see if I can explain why I can't understand it :-D Anders Molin wrote: IIS can not decrypt the headers and see the hostname before it knows which certificate to use - fine. But you can get certificates that are valid for both "a.domain.com" and "b.domain.com". If both points at IP 1.2.3.4 and the IIS has installed the certificate for that particular IP address, why can't it use that certificate to decode the header and afterwards branch on the host header ? If the statement "One certificate, one IP address, one website" holds - then why can you get certificates for subdomain like "a.domain.com" / "b.domain.com" ? Btw - my collegue somehow generated a certificate (an "untrusted" one) yesterday. What is a such worth ? Is the problem that anybody could hack our DNS, redirect the site to anther server, issue a certificate claiming to be from my company and thus let the users think that every thing is OK ? Or could one claim that now the customers have an encrypted connection to the server, and as long as the above doesn't happen, things are fine... hmmm... this is qute difficult to fully understand. :) Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert
-
Alright, I'm obviously not at full speed today :zzz:. I'll try again - and see if I can explain why I can't understand it :-D Anders Molin wrote: IIS can not decrypt the headers and see the hostname before it knows which certificate to use - fine. But you can get certificates that are valid for both "a.domain.com" and "b.domain.com". If both points at IP 1.2.3.4 and the IIS has installed the certificate for that particular IP address, why can't it use that certificate to decode the header and afterwards branch on the host header ? If the statement "One certificate, one IP address, one website" holds - then why can you get certificates for subdomain like "a.domain.com" / "b.domain.com" ? Btw - my collegue somehow generated a certificate (an "untrusted" one) yesterday. What is a such worth ? Is the problem that anybody could hack our DNS, redirect the site to anther server, issue a certificate claiming to be from my company and thus let the users think that every thing is OK ? Or could one claim that now the customers have an encrypted connection to the server, and as long as the above doesn't happen, things are fine... hmmm... this is qute difficult to fully understand. :) Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert
Jan R Hansen wrote: If the statement "One certificate, one IP address, one website" holds - then why can you get certificates for subdomain like "a.domain.com" / "b.domain.com" ? A certificate only works for a single domain, like a.domain.com, you need a nother certificate for b.domain.com, as it's another subdomain. In order to get this to run on the same webserver, you need different ip-addresses for a and b subdomains. Jan R Hansen wrote: Btw - my collegue somehow generated a certificate (an "untrusted" one) yesterday. What is a such worth ? Yep, thats easy enough. Problem is that the browsers don't know the CA so the first time people visit yur website they are told that the certificate CA is unknown and they need to install the certificate in order to continue. Jan R Hansen wrote: Is the problem that anybody could hack our DNS, redirect the site to anther server, issue a certificate claiming to be from my company and thus let the users think that every thing is OK ? Yeah, thats one of the reasons you pay the big $$ to companies like verisign, to try to prevent this from happening (of course the user need to actually check the certificate in ordet to see if it's issued to the right company, and how many does that?) Jan R Hansen wrote: Or could one claim that now the customers have an encrypted connection to the server, and as long as the above doesn't happen, things are fine Yep, the data is encrypted just fine no matter what type of certificat you have ;) BTW, where in Denmark are you from? - Anders Bill's Bar
My PhotosWDevs - The worlds first DSP, free blog space, email and more. Now also with forums :)
-
Jan R Hansen wrote: If the statement "One certificate, one IP address, one website" holds - then why can you get certificates for subdomain like "a.domain.com" / "b.domain.com" ? A certificate only works for a single domain, like a.domain.com, you need a nother certificate for b.domain.com, as it's another subdomain. In order to get this to run on the same webserver, you need different ip-addresses for a and b subdomains. Jan R Hansen wrote: Btw - my collegue somehow generated a certificate (an "untrusted" one) yesterday. What is a such worth ? Yep, thats easy enough. Problem is that the browsers don't know the CA so the first time people visit yur website they are told that the certificate CA is unknown and they need to install the certificate in order to continue. Jan R Hansen wrote: Is the problem that anybody could hack our DNS, redirect the site to anther server, issue a certificate claiming to be from my company and thus let the users think that every thing is OK ? Yeah, thats one of the reasons you pay the big $$ to companies like verisign, to try to prevent this from happening (of course the user need to actually check the certificate in ordet to see if it's issued to the right company, and how many does that?) Jan R Hansen wrote: Or could one claim that now the customers have an encrypted connection to the server, and as long as the above doesn't happen, things are fine Yep, the data is encrypted just fine no matter what type of certificat you have ;) BTW, where in Denmark are you from? - Anders Bill's Bar
My PhotosWDevs - The worlds first DSP, free blog space, email and more. Now also with forums :)
Thanks, thanks and thanks again. I must have misunderstood something regarding having one certificate that was valid for several subdomains. We'll look into that. But now I'm beginning to understand this just a little, at least. I'm from Bagsværd. It's around 15 km north-west of Copenhagen. Currently I'm working in Birkerød which is another 10 km to the north. Why ? :-D Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert
-
Thanks, thanks and thanks again. I must have misunderstood something regarding having one certificate that was valid for several subdomains. We'll look into that. But now I'm beginning to understand this just a little, at least. I'm from Bagsværd. It's around 15 km north-west of Copenhagen. Currently I'm working in Birkerød which is another 10 km to the north. Why ? :-D Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert
Jan R Hansen wrote: I'm from Bagsværd. It's around 15 km north-west of Copenhagen. Currently I'm working in Birkerød which is another 10 km to the north. Why Just curious, I'm from Slangerup my self. 20 kilometers from Birkerød ;) - Anders Bill's Bar
My PhotosWDevs - The worlds first DSP, free blog space, email and more. Now also with forums :)
-
Jan R Hansen wrote: I'm from Bagsværd. It's around 15 km north-west of Copenhagen. Currently I'm working in Birkerød which is another 10 km to the north. Why Just curious, I'm from Slangerup my self. 20 kilometers from Birkerød ;) - Anders Bill's Bar
My PhotosWDevs - The worlds first DSP, free blog space, email and more. Now also with forums :)
Well, its a small world after all. Somehow I've always had the impression that you were from Sweden (no offence ;)) ehh.. no offence to the swedes either... ;P. Must be your last name. Do you know why it's important to make fast decisions? Because you give yourself more time to correct your mistakes, when you find out that you made the wrong one. Chris Meech on deciding whether to go to his daughters graduation or a Neil Young concert