[ale] https
Geoffrey
esoteric at 3times25.net
Fri Feb 15 09:11:21 EST 2002
I believe your assessment is accurate, but when you are presented with
the dialog regarding the unrecognized cert., you have three options,
accept this once, accept forever, don't accept.
Now, I might be wrong, but I believe the original poster of this thread
indicated that this would be accessed by a small subset of
clients/employees. In such a situation, I think you're okay to take
this approach. They get the dialog and they accept it, based on the
fact they've been told that this is going to happen.
Now, if I was going to www.buystuff.com and was presented such a dialog
prior to entering my purchasing data, you can bet I'd pop that cancel
button in a second, and never return...
Dow Hurst wrote:
> An important issue with ecommerce and public sites is that a customer or
> person who doesn't know you is accessing your site. Their browser, IE
> or Netscape, will have the public keys builtin for Versign or Thawte
> certificates. If you have a self signed certificate presented to the
> browser, it will not have the public key available to verify it
> internally. This makes the browser warn the user with a dialog stating
> the certificate is possibly bogus but definitely signed by a unknown
> authority. This is a dialog most companies selling products cannot
> tolerate. I need to look at OpenCA but I still would think that IE and
> Netscape would need to have your public key available in their files
> before the certificate is presented for the type of user experience that
> most companies want their customers to have.
> Am I all wet here? I think this is the bottom line for paying the bucks
> for the Versign CA. Thanks,
> Dow
>
> "D. Alan Stewart" wrote:
>
>>I need to get a handle on https. I've already secured the private portion of my
>>club's web site with the htaccess method. As I understand https will encrypt
>>data being transferred between client and server, making it difficult to
>>intercept passwords. However, I guess if the rest of the private pages are not
>>https, someome could still intercept private information, so maybe all the
>>private content should be accessed through https.
>>
>>How do you enable https? I understand that you need a 'certificate', and I've
>>heard free ones can be had. How do you get one and how do you use it to
>>enable https? Does it require the cooperation of my ISP? He is running
>>apache.
>>
>>Any help is greatly appreciated.
>>
>>D. Alan Stewart
>>Layton Graphics, Inc.
>>155 Woolco Dr.
>>Marietta, GA 30062
>>Voice: 770/973-4312
>>Fax: 800/367-8192
>>FTP: ftp.layton-graphics.com
>>WWW: www.layton-graphics.com
>>
>>"As far as the laws of mathematics refer to reality, they
>>are not certain; and as far as they are certain, they do
>>not refer to reality." - Albert Einstein
>>
>>---
>>This message has been sent through the ALE general discussion list.
>>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
>>sent to listmaster at ale dot org.
>>
>
--
Until later: Geoffrey esoteric at 3times25.net
"...the system (Microsoft passport) carries significant risks to users that
are not made adequately clear in the technical documentation available."
- David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
- http://www.avirubin.com/passport.html
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list