Free SSL certificates - trustworthy?

Discussion in 'other security issues & news' started by ajanis, Sep 14, 2010.

Thread Status:
Not open for further replies.
  1. ajanis

    ajanis Registered Member

    Joined:
    Sep 14, 2010
    Posts:
    9
    I am in the process of installing SSL on my server and stumbled upon free SSL certificates. Is there a way to tell whether they are good or bad? Is a free SSL certificate insecure or untrustworthy? If anybody has experience with free SSL, please comment.
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    A cert is a cert. The technology is the same for all of them. The only difference is the "name" behind the cert. That is, will your site visitors trust a cert signed by "ACME certification authority" as opposed to a more known one (Verisign, GoDaddy, Thawte, Comodo, etc.). But no matter where it's from, it should provide secure connections provided your visitors trust the CA (and provided your CA doesn't use outdated hashes like MD5).

    And as the poster above said, the whole SSL cert model is really broken, but that's another issue entirely and is tangential to your question. The way I see it, all of them are untrustworthy so it doesn't really matter where you get your cert. You may as well self-sign it.
     
  3. ajanis

    ajanis Registered Member

    Joined:
    Sep 14, 2010
    Posts:
    9
    Thank you both. Your answers raised two questions:

    1) What would be more secure? I really only need one folder encrypted for my own private use, and not an entire website.

    2) How would I self sign in?

    Thanks!
     
  4. ajanis

    ajanis Registered Member

    Joined:
    Sep 14, 2010
    Posts:
    9
    As you can see, I am new to SSL and encryption, which seems to get on your nerves.

    To clarify, with "server" I erroneously meant "webhosting account."
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Then you don't need certs at all. Certs are only needed when third parties need verification that you are who you claim to be. So unless you are serving encrypted data to people you don't know but whom you want to trust you, you don't need a cert at all.

    If you're just wanting an encrypted folder, it would be easier just to use symmetric encryption with a tool like PGP/GPG or Truecrypt.
     
  6. ajanis

    ajanis Registered Member

    Joined:
    Sep 14, 2010
    Posts:
    9
    You are right, this is the conclusion I am arriving at. Could you recommend a software that can be installed serverside to encrypt/decrypt ftp folders?
     
Loading...
Thread Status:
Not open for further replies.