NYCPHP Meetup

[Gary A. Mort]

On 11/25/2013 10:36 AM, Mark Holberg wrote:
> Gary,
>
> Do you recommend an SSL  be purchsed for every site? Or would 
> self-signed certificates be acceptable?
>

I'm perfectly happy using self-signed certificates.  Or more accurately, 
I create a self signed CA for my own usage and use it to sign all the 
certificates I use on my sites.

It depends entirely on your use case.  I use SSL to protect the admin 
section of my Joomla sites and for any site management id's I use a 
simple system plugin so that all users in that group get redirected to 
the SSL site.

My personal concern is that I use my laptop everywhere I go.  I logon to 
check my e-mail, make changes to website configurations, etc.  Ever 
since Firesheep was released back in 2010, 
http://codebutler.com/firesheep/ it has gone from 'possible but requires 
some work' for anyone else on the public wifi to 'steal' your logon 
session to 'ridiculously easy'.  Personally I found that a good thing - 
it's not like firesheep was some new hacking method, it was just a tool 
that made it simple for anyone.

Since I'm using SSL solely to prevent theft of user credentials on wifi 
networks - I am perfectly content to tell people "you have to add an 
exception to use SSL, and all your admins need to do so".

If I was building an ecommerce site for someone else....well, I'd still 
recommend self signed certificates.  I find the "protection" offered by 
the various SSL authorities to be a complete joke[they don't seem to 
really do anything to actually verify identity] - and most small 
ecommerce sites end up having their certificate expire and not get 
renewed anyway - without having an appreciable impact on their sales.  
So why bother paying a lot of money for an SSL certificate?

But I would at least give the client a heads up that not using a 
purchased certificate /might/ affect their conversion rates.  They only 
need to use the SSL cert for the checkout process, everywhere else they 
can use straight http.

With SSL your really at the mercy of the creator of your web browser 
anyway.  Google could, for example, provide a false SSL certificate for 
/any/ website which would appear valid.  The same can be said for 
Microsoft, Opera, and Mozilla. [And case in point, Nokia actually DOES 
do this.  In order to allow them to cache and compress data from 
websites being sent to their customers browsers on their cell phones - 
Nokia used their root CA to create fake SSL certificates for https 
sites.  See https://www.grc.com/fingerprints.htm for fun details]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/joomla/attachments/20131125/3f0f1e17/attachment.html>