[ale] https

Geoffrey esoteric at 3times25.net
Fri Feb 15 09:11:21 EST 2002 

I believe your assessment is accurate, but when you are presented with 
the dialog regarding the unrecognized cert., you have three options, 
accept this once, accept forever, don't accept.

Now, I might be wrong, but I believe the original poster of this thread 
indicated that this would be accessed by a small subset of 
clients/employees.  In such a situation, I think you're okay to take 
this approach.  They get the dialog and they accept it, based on the 
fact they've been told that this is going to happen.

Now, if I was going to www.buystuff.com and was presented such a dialog 
prior to entering my purchasing data, you can bet I'd pop that cancel 
button in a second, and never return...

Dow Hurst wrote:
> An important issue with ecommerce and public sites is that a customer or
> person who doesn't know you is accessing your site.  Their browser, IE
> or Netscape, will have the public keys builtin for Versign or Thawte
> certificates.  If you have a self signed certificate presented to the
> browser, it will not have the public key available to verify it
> internally.  This makes the browser warn the user with a dialog stating
> the certificate is possibly bogus but definitely signed by a unknown
> authority.  This is a dialog most companies selling products cannot
> tolerate.  I need to look at OpenCA but I still would think that IE and
> Netscape would need to have your public key available in their files
> before the certificate is presented for the type of user experience that
> most companies want their customers to have.
> Am I all wet here?  I think this is the bottom line for paying the bucks
> for the Versign CA.  Thanks,
> Dow
> 
> "D. Alan Stewart" wrote:
> 
>>I need to get a handle on https. I've already secured the private portion of my
>>club's web site with the htaccess method. As I understand https will encrypt
>>data being transferred between client and server, making it difficult to
>>intercept passwords. However, I guess if the rest of the private pages are not
>>https, someome could still intercept private information, so maybe all the
>>private content should be accessed through https.
>>
>>How do you enable https? I understand that you need a 'certificate', and I've
>>heard free ones can be had. How do you get one and how do you use it to
>>enable https? Does it require the cooperation of my ISP? He is running
>>apache.
>>
>>Any help is greatly appreciated.
>>
>>D. Alan Stewart
>>Layton Graphics, Inc.
>>155 Woolco Dr.
>>Marietta, GA 30062
>>Voice: 770/973-4312
>>Fax: 800/367-8192
>>FTP: ftp.layton-graphics.com
>>WWW: www.layton-graphics.com
>>
>>"As far as the laws of mathematics refer to reality, they
>>are not certain; and as far as they are certain, they do
>>not refer to reality." - Albert Einstein
>>
>>---
>>This message has been sent through the ALE general discussion list.
>>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
>>sent to listmaster at ale dot org.
>>
> 


-- 
Until later: Geoffrey		esoteric at 3times25.net

"...the system (Microsoft passport) carries significant risks to users that
are not made adequately clear in the technical documentation available."
- David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
- http://www.avirubin.com/passport.html


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list