Configuring SSL

Darvocet · Post by **Darvocet** » Sun Mar 27, 2005 8:48 pm

thekey wrote:Ok, I understand the point of this, but still don't know why do I need some certificate (for example from CACert.org) for my IRCd. Is there any difference between connecting without some certificate and connecting with it? Is the encryption then different?

From my understanding regarding CACert is that it is not a REAL SSL certificate. It is an issued certificate from CACert, but CACert certificates are not accepted as guarnteed authentic by 99.9% like for example verisign. From what I've been told (and feel free to corect me) is that a self-signed certificate offers the same security. If you have the money for a 'real' certificate from an accepted issuer than it is suggested that you purchase one, but I registered with CACert, and got the certificates working, however there was 'NO' difference in the certificate except who signed it. And in fact, the self-signed certificate retained information about my servers location, etc that the CACert did not keep. I have e-mail certs from them and another more reputable issuer, and Windows automatically accepts the latter, but on the CACert one still asks for approval to accept.

Anyone else agree-disagree? I am just curious what is REALLY the best thing as a network to do, without shelling out cash for a 'REAL' certificate.

Darv.................... (secure stock layer)

codemastr · Post by **codemastr** » Mon Mar 28, 2005 1:33 am

Darvocet wrote:From my understanding regarding CACert is that it is not a REAL SSL certificate. It is an issued certificate from CACert, but CACert certificates are not accepted as guarnteed authentic by 99.9% like for example verisign.

No certificates are "guaranteed" to prove the identity of the user. That's why there are such things as CRLs (Certificate Revokation Lists), OCSP (Online Certificate Status Protocol), SCVP (Simple Certificate Validation Protocol), etc. All of these things exist because certificates provide *NO* guarantee. If someone steals your private certificate, or otherwise gets ahold of it, as far as SSL is concerned, they *are* you.

From what I've been told (and feel free to corect me) is that a self-signed certificate offers the same security.

That is completely false. Let me ask you this, if you ask me, "are you really codemastr?" and I say "yes," is that the same as if you ask your best friend, who also happens to be my best friend, if I am really codemastr? I don't think so. We have found a person that we both trust to tell us the truth. That's different than you just taking my word for it. The question is, do you trust CACert? I can't answer that, it's up to you. But if you do trust them, well then it is certainly much more valid than just asking some random person if they are who they claim to be!

If you have the money for a 'real' certificate from an accepted issuer than it is suggested that you purchase one

Why? Because the big companies like Microsoft tell you companies like Verisign are trustworthy? Verisign has issued many invalid certificates. Didn't you ever read about the case where Verisign "accidentily" gave out Microsoft's certificate to some random guy who claimed to work for MS? He was able to sign software that appeared to be "authentic" and from Microsoft. Don't think that just because you pay for it that it is some how better. All those other companies are subject to fraud as well.

however there was 'NO' difference in the certificate except who signed it.

Yeah, and? If you bought it from Verisign, guess what the only difference would be? It is signed by Verisign!

Darvocet · Post by **Darvocet** » Mon Mar 28, 2005 3:39 am

OWNED... oh... nevermind.