Do I even need an SSL cert?

Forums › IT Pro and developers › Do I even need an SSL cert?

1 | 2

gzt

17160 posts

Uber Geek

Lifetime subscriber

#1393802 24-Sep-2015 19:43

nzerin: ok thanks guys, I will look into all these options.

If you want to post some specific information about your hosting/platform/software/version/configuration - you may get some very good advice here related to those components.

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#1393840 24-Sep-2015 20:30

MadEngineer: https://www.startssl.com

Any good?

SSL certificates are all roughly the same when it comes to encryption. The higher level ones validate that you are who you say you are, the cheaper ones give no such assurances.

Ragnor

8223 posts

Uber Geek

Trusted

#1394903 26-Sep-2015 16:15

MadEngineer: https://www.startssl.com

Any good?

Pros: Free class 1 ssl certificates, you pay to verify your identity for higher class certs instead of paying per cert like other providers.

Cons: Horribly designed annoying website, based in Israel so things that require manual approval/verification at their end can take a day or more due to time difference.

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1394911 26-Sep-2015 16:21

I use RAPIDSSL for our certs.

darylblake

1162 posts

Uber Geek

Trusted

#1394989 26-Sep-2015 18:30

If you are using cloudflare as your CDN you can use the cloudflare account. They have a product called Universal SSL.

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1394990 26-Sep-2015 18:31

But still good to have your own in case you need to disable Cloudflare or as a fallback.

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#1394991 26-Sep-2015 18:31

darylblake: If you are using cloudflare as your CDN you can use the cloudflare account. They have a product called Universal SSL.

That typically only encrypts from browser to CloudFlare, not to the server. It can be configured to connect to the server using an encrypted connection, but that is less common and more hassle. It's not secure end to end.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

mme

161 posts

Master Geek

#1395044 26-Sep-2015 20:35

Just use a self signed CERT and use Cloudflare to serve the front end. Especially if PayPal handles the payment stuff

michaelmurfy

meow
13270 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1395075 26-Sep-2015 22:34

I just self-sign my certificates, enable SPDY support then use Cloudflare to serve up an actual certificate on my sites (see https://management.interwebz.co.nz as an example). For my own hosted stuff not behind Cloudflare I use StartSSL's free certificate which works really well however don't lose the private key for your certificate else you'll find you're forking out some coin for a certificate reset.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

nzerin

17 posts

Geek
Inactive user

#1395301 27-Sep-2015 19:08

Wow thanks everyone, I will get onto the SSL cert and look into the Cloudflare service. cheers

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#1395316 27-Sep-2015 19:46

Don't get an SSL cert before you work out your whole game plan. Self signing is possible, if you do CloudFlare, but not with shared hosting, yes if you use a VPS.

Encryption in transit is still an illusion of security. Intercepting and decrypting traffic is pretty rarely a way to compromise a website. Breaking in via known vulnerabilities is far more likely, and easier.

UncleArthur

197 posts

Master Geek

#1399925 5-Oct-2015 01:33

Just to throw another angle:
At work we have a checkpoint firewall.

The other day I was doing some internet banking at work (yes it happens)... I took a look at the cert, and to my surprise the cert was not issued by my bank, but rather from our internal PKI.... Not cool.
So, it seems the checkpoint is doing the encryption between itself and the bank, then decrypting, inspecting the traffic, then re-encrypting between itself and my PC.
Wasn't getting a cert error or any indication this was happening because the PC I was using trusts our internal PKI.

Needless to say, not banking at work anymore...... So, the point is just because you see the padlock looking all happy.... If it's not your network you are on, still check the cert.

Dynamic

3869 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1400322 5-Oct-2015 14:39

UncleArthur: Just to throw another angle:
At work we have a checkpoint firewall.

The other day I was doing some internet banking at work (yes it happens)... I took a look at the cert, and to my surprise the cert was not issued by my bank, but rather from our internal PKI.... Not cool.
So, it seems the checkpoint is doing the encryption between itself and the bank, then decrypting, inspecting the traffic, then re-encrypting between itself and my PC.
Wasn't getting a cert error or any indication this was happening because the PC I was using trusts our internal PKI.

Needless to say, not banking at work anymore...... So, the point is just because you see the padlock looking all happy.... If it's not your network you are on, still check the cert.

Well spotted.

Unfortunately this is going to get more and more common and trickle down to SMBs. Google pushing for SSL on all web traffic means more web traffic is encrypted, and this will include web-borne malware. To provide comprehensive protection, firewall vendors are having to inject themselves into the path of SSL connections to protect against this. That was just the 'big guys', but I am seeing more SMB firewalls doing this.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

MadEngineer

4300 posts

Uber Geek

Trusted

#1400571 5-Oct-2015 21:06

Indeed - and how to employ a transparent proxy without doing the above.

You're not on Atlantis anymore, Duncan Idaho.

xontech

268 posts

Ultimate Geek

#1402897 9-Oct-2015 10:20

UncleArthur: The other day I was doing some internet banking at work (yes it happens)... I took a look at the cert, and to my surprise the cert was not issued by my bank, but rather from our internal PKI.... Not cool.
So, it seems the checkpoint is doing the encryption between itself and the bank, then decrypting, inspecting the traffic, then re-encrypting between itself and my PC.

That is quite bad form by your work. CheckPoint themselves go to great lengths to say that when you are doing HTTPS inspection on your firewalls that you NEED to set exceptions for certain traffic - i.e. financial and health. Your work is opening themselves up to issues if they don't follow these guidelines, as they, in theory, are privvy to personal details if they don't do this. And yes, in hacking terms this is referred to as a man in the middle.

I believe that HTTPS interception is currently the only way to be able to look inside encrypted traffic. And with an average of around 40% (rough memory recall) and growing of traffic in organistions being encrypted there is a real requirement to do this. But with the above caveats.

EDIT: words

1 | 2