Question about SSL

[envy me]

So I decided to purchase a domain from godadddy along with hosting from hostgator. I figured everyone has a website so I might aswell play around with it.


The package I chose from hostgator includes a public ssl (shared with other members) and if I wanted a private one I could pay $70.

I know that if you run unix or linux you could generate your own certificate (not as secure I realize but a certificate nonetheless)

I wanted to know:

a. If I generate my own certificate, I could use that in place of one provided by verizon, hostgator, or other providers?

b. seeing as I have one machine that is non-unix, how safe would it be for me to get someone running linux/unix to generate a certificate for me if I provided the key? Would I be compromising any kind of security on my site?

c. If there is no security compromisation due to b. would anyone be willing to generate a certificate for me? (if there is a security issue with that please disregard this request as this stuff is all relatively new to me)

I have a domain, a site, phpBB, and gallery setup. I want to setup an online merchant not to make money, but to see if I can.

I have a logo designed for my "company" and will be doing a website soon, I just haven't decided what my company/site will do


Appreciate all your help with this.

 

[DaveSimmons]

Self-signed certificates will trigger warnings in browsers that customers should stay away from your website because it's unsafe. Not the image you want if this is some kind of business.

GoDaddy sells SSL certs cheap, under $50 I think.

 

[Mark R]

As above really.

Self signed certificates, will pop-up security warnings. More recent browsers, in particular firefox 3 - make it extremely difficult and geek intensive to even access a site with a self-signed certificate.

The whole point of an SSL certificate is that it proves that your site belongs to you, and that it is not a hack or imposter. The idea is that you submit identity documents to a provider, who will vouch for your identity and that you rightfully own the website. They supply a certificate that provides proof of their vouching for you, and which is easily verified by browsers.

A self signed certificate cannot be verified by browsers, and therefore because you have defeated the entire point of an SSL certificate, the browser will pop up loads of warnings, if it even lets the user connect to the website in the first place.

 

[envy me]

So what is it about a verizon certificate that differs from a self signed one? I mean how can firefox know which is which. Or if another certificate issuing company comes out how will firefox distinguish that from someone creating their own?

 

[George P Burdell]

Namecheap sells SSL certs for $12.88.

 

[Crusty]

Originally posted by: envy me

So what is it about a verizon certificate that differs from a self signed one? I mean how can firefox know which is which. Or if another certificate issuing company comes out how will firefox distinguish that from someone creating their own?

Each browser ships with a list of trusted certification authorities. If your certificate was generated by one of those on the list you are fine, if not you'll get an error. It's not easy to be a root certification authority so I'm guessing the list doesn't change that often.

 

[wiredspider]

Make sure the host supports the SSL, you need a dedicated IP and many of the cheap hosts make you share an IP (and then charge extra for the dedicated IP).