Re: [PHP] for the security minded web developer - secure way to login?
Hi All again, What makes it so expensive to have a certificate? I mean, wouldn't it be possible to setup a new authority that doesn't charge as much or nothing at all? Wouldn't the major browsers be willing to support an authority that is free or costs next to nothing? I pay about $200 a year for my virtual server, so if i only issue 200 certifcates and charge a dollar each i wouldn't loose money. I have a v-server on the Internet and wouldn't mind setting it up as a free authority or even one based on donations. Or is there going to be so much traffic and processing that it wouldn't be able to handle it? Cannot be that bad because it needs to compute the authentication only periodically (once a year or so for each) and each time a user hits a page it is only checked which would only be a couple of bytes traffic (per domain?). Please enlighten me why it is so expensive? Is it maybe just the hassle of setting it up? Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Fred Allen - "California is a fine place to live - if you happen to be an orange." 2009/2/16 Michael A. Peters > German Geek wrote: > >> OK, i hear about this self signed certificate. Whenever i signed anything >> it >> just came up with all these warnings in FF which confuses users and i >> think >> is not good at all. Can someone paste a link in here to a website with a >> self signed cert please? Would like to see if there are any warnings etc. >> Thanks. >> > > There still are all the warnings. > > There are some cheap (and free) CA's that FireFox recognizes so it still is > possible to use SSL and not have the firefox 3 warning hell, but things like > linksys routers are still problematic. > > https://www.scientificlinux.org/ > > Demonstrates the problem in FireFox 3. > They use a self-signed cert. >
Re: [PHP] for the security minded web developer - secure way to login?
German Geek wrote: OK, i hear about this self signed certificate. Whenever i signed anything it just came up with all these warnings in FF which confuses users and i think is not good at all. Can someone paste a link in here to a website with a self signed cert please? Would like to see if there are any warnings etc. Thanks. There still are all the warnings. There are some cheap (and free) CA's that FireFox recognizes so it still is possible to use SSL and not have the firefox 3 warning hell, but things like linksys routers are still problematic. https://www.scientificlinux.org/ Demonstrates the problem in FireFox 3. They use a self-signed cert. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
OK, i hear about this self signed certificate. Whenever i signed anything it just came up with all these warnings in FF which confuses users and i think is not good at all. Can someone paste a link in here to a website with a self signed cert please? Would like to see if there are any warnings etc. Thanks. Tim Tim-Hinnerk Heuer http://www.ihostnz.com Jay London - "My father would take me to the playground, and put me on mood swings." 2009/2/15 Michael A. Peters > Sudheer wrote: > >> Michael A. Peters wrote: >> >>> >>> Sites (like mine) that don't want to pay a certificate authority can use >>> a self-signed cert. Even Red Hat does for some of their stuff (IE I believe >>> their bugzilla server) >>> >>> Firefox scares its users when they encounter a website with self signed >> certificate. If your website users aren't worried about the warning Firefox >> throws at them, self signed cert works well. >> >> >> > Yeah it does, hopefully they fix it. > What scares me is allowing sites I have no reason to trust as non malicious > and have no reason to trust as properly secured against XSS injection to > load scripts that execute on my machine. > > People who use Firefox may be scared by the absurd warning FireFox 3 uses > (something I've complained about to them) - other than informing users of > the issue and hoping some read it, not much I can do about that. Hopefully > FireFox will fix the issue and do something like what opera does (except the > cert for session if you just click OK, accept it permanently if you click > the security tab and check a box first). > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] for the security minded web developer - secure way to login?
Sudheer wrote: Michael A. Peters wrote: Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. Yeah it does, hopefully they fix it. What scares me is allowing sites I have no reason to trust as non malicious and have no reason to trust as properly secured against XSS injection to load scripts that execute on my machine. People who use Firefox may be scared by the absurd warning FireFox 3 uses (something I've complained about to them) - other than informing users of the issue and hoping some read it, not much I can do about that. Hopefully FireFox will fix the issue and do something like what opera does (except the cert for session if you just click OK, accept it permanently if you click the security tab and check a box first). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. I just realized Dotan Cohen already mentioned this. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Michael A. Peters wrote: German Geek wrote: Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
German Geek wrote: Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Of course it's not for banks etc. You could degrade gracefully when javascript is turned off to just sending the form and checking the password normally if the first test fails which would happen anyway wouldnt it? ... Mainly this was just ment to be a proof of concept. An alternative to SSL for those who have more time than $$ and not quite so high a security requirement. Of course SSL is better! Duh! Just wanted to give you guys something to think about. The password would not be given away like this would it? It just makes it a little more difficult for script kiddies. They would have to have a keylogger running or steal the session. :P Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given us arms." 2009/2/15 Michael A. Peters > Dotan Cohen wrote: > > >> Have you seen the fit Firefox 3 makes for self-signed certs? So far as >> the end user is concerned, the site is inaccesible. >> >> > Yes I have. > That's why on my site I have an instruction page - and a demonstration of > how Opera does it, which is just as secure and less of a PITA, and a > suggestion that users go ahead and try Opera - something I never did before > FF messed up the self signed SSL process. > > The FF3 really bugged me - > > 1) The purpose of SSL is to provide public/private key encryption. > 2) The purpose of signing is so that they know you are really you on future > visits. > 3) The purpose of certificate authorities is so that they know you are you > on the first visit. > > Many web sites benefit from the first two without needing the complexity of > the third, a concept FireFox seems to have lost. > > I don't need the paperwork hassle etc. for the few sites I run - I just > need a way for a user to authenticate so I can give 'em a session cookie, no > sensitive data is ever collected. Ah well. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] for the security minded web developer - secure way to login?
Dotan Cohen wrote: Have you seen the fit Firefox 3 makes for self-signed certs? So far as the end user is concerned, the site is inaccesible. Yes I have. That's why on my site I have an instruction page - and a demonstration of how Opera does it, which is just as secure and less of a PITA, and a suggestion that users go ahead and try Opera - something I never did before FF messed up the self signed SSL process. The FF3 really bugged me - 1) The purpose of SSL is to provide public/private key encryption. 2) The purpose of signing is so that they know you are really you on future visits. 3) The purpose of certificate authorities is so that they know you are you on the first visit. Many web sites benefit from the first two without needing the complexity of the third, a concept FireFox seems to have lost. I don't need the paperwork hassle etc. for the few sites I run - I just need a way for a user to authenticate so I can give 'em a session cookie, no sensitive data is ever collected. Ah well. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
> I think just use a flippin' ssl server and be done with it. > ++$i > When I go to a website that requires me to let them execute JavaScript I > rarely go back. > Many people do this, I hope that the OP realizes this. > You can use SSL for the login and only the login - I know that it means > either using a self signed cert or paying big bucks, for anything with > e-commerce you want to pay big bucks for a cert, there is no other option. > For anything not e-commerce, using a self signed cert seems a lot more > secure to me than having the browser grab some salt off your server, use > javascript to encrypt the pass, and then sending it back. > Have you seen the fit Firefox 3 makes for self-signed certs? So far as the end user is concerned, the site is inaccesible. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: [PHP] for the security minded web developer - secure way to login?
Michael A. Peters wrote: > German Geek wrote: > > > What do you think? > > I think just use a flippin' ssl server and be done with it. > That was my thought too. > You can use SSL for the login and only the login - I know that it > means either using a self signed cert or paying big bucks, for > anything with e-commerce you want to pay big bucks for a cert, there > is no other option. http://www.cacert.org/ /Per -- Per Jessen, Zürich (0.2°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
German Geek wrote: > What do you think? I think just use a flippin' ssl server and be done with it. When I go to a website that requires me to let them execute JavaScript I rarely go back. You can use SSL for the login and only the login - I know that it means either using a self signed cert or paying big bucks, for anything with e-commerce you want to pay big bucks for a cert, there is no other option. For anything not e-commerce, using a self signed cert seems a lot more secure to me than having the browser grab some salt off your server, use javascript to encrypt the pass, and then sending it back. Public / Private key is the way to go, and self signed cert still gives you that, the only issue is the user get's a warning the first time they connect to the server - and have to manually accept your cert. You may make the password a little more difficult to sniff by sending some salt to the client and using js to make a password hash, but the bottom line is a user has no reason to trust a login is secure if you don't use SSL and every reason not to trust that it is secure, so use SSL if you want to provide secure login and don't cripple your site by having the audacity to require users to allow you to execute code on their machine in order to use your website. It will drive some users away. Not exactly what you asked, but it is my opinion. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php