[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] openSSL

From: David Woolley
Subject: Re: [Lynx-dev] openSSL
Date: Fri, 22 Sep 2006 21:18:57 +0100 (BST)

> is there anyone can explain to me how can i use the openSSL in my e-commerce

This is off topic.

> store. I do not have any linux background. that's why i'm not really to have
> a full understand the installation document.

A good explanation would require knowledge of what server software 
you are using, and I think would be too long to be reasonable to
give as free consultancy.

> secondly, so i need to pay for a certificate?

You don't need to pay for a certificate, and many people will still
use your site, as the average punter doesn't understand how SSL provides

However, if you create your own certificate, someone who has broken
into your internet connection, or that of the customer, could create
their own free certificate, decrypt the credit card details and save
them, then re-encrypt with your certificate before forwarding to you.
This is known as a man in the middle attack.

What a certificate does is give a reasonable level of confidence that 
someone reasonably trustworthy has checked that the certificate really
has been supplied to the web site (and the company identified in the
certificate subject) that it purports to be used for.

If you create your own, good browsers will issue a warning, because the
person verifying your identity is you yourself.  Many users will ignore
this, but they could really be talking to anyone.

Incidentally, this also applies to using your ISP's credit card
processing service.  If I haven't heard of that ISP or don't have
sufficient confidence in them, I would have to assume that a customer
of that ISP may be faking your secure site and you might not even be
a customer of that ISP.

It is best to have a certificate that matches your web site, but failing
that, you need to use someone like Worldpay or at least an internationally
known, and trusted, bank to provide the SSL service.

Note there is an organisation that uses a grass roots authentication
approach, somewhat like that for PGP, to issue free certificates, but
their root certificate isn't installed in the commercial browsers.

(As an aside, IE trusts certificates with a wide range of authentication
requirements, so if a user doesn't disable any of these, they are only
really protected to the weakest level.)

> Content-Type: text/html; charset=ISO-8859-1

Please try not to send HTML to public lists.

> hello,<br><br>is there anyone can explain to me how can i use the

Missing DOCTYPE and title and abuse of br.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]