Jump to content
Fmdpa

SSL Certificates

Recommended Posts

In my current website project, I would like to design a secure area for members. I have built basic login systems before, but I want to build something more secure this time. One of the things I would like to do it route requests using the HTTPS protocol. In my research on how to do this, I have been starting to learn about SSL certificates. As I understand it, in order to create an SSL encrypted connection that users can be confident in, I must purchase a certificate from a certificate authority (CA).

 

I am questioning whether I really need to do this, though. Neither money nor information that is extremely sensitive would be handled in the secure area. The purpose of the website is of a nature that membership would be restricted to those personally acquainted with me, so it's not like they would be using a website with some vague "entity" operating it. They could trust me. Would that make it safe for me to use a self-signed SSL certificate? My only suspicion is that a hijacker could potentially inject a new SSL certificate (not sure if this is possible...) and trick users since neither his nor mine would be signed by a trusted CA.

 

I could just get a cheap certificate, but I would like to avoid spending money on this if I don't have to. Maybe a free certificate would be okay? I'm not sure.

 

What do you think is the best course of action for my situation?

Share this post


Link to post
Share on other sites

I will soon be pondering the same issue. Right now I'm working on a basic Ajax scheme that will at least obscure the text traffic. Once I have that working properly I will try to look at other available options to further harden the login and registration phases. Like you I don't have any real need for security, but I would like to experiment with it. I seem to remember something about a shared certificate that might be available on my hosting service, so I will be investigating that possible and very good option. Since this is posted in Webservers I'm guessing you have a dedicated server of your own, so that is obviously a different situation.

 

There is certainly a level of hostility in many online discussions on this topic because I guess nothing is anywhere near as reliable as properly certificated SSL/TLS.

Edited by davej

Share this post


Link to post
Share on other sites

No, I am just using a shared server. I couldn't think of a better forum on which to post it.

 

Thanks for your input; I'm looking forward to hearing if you learn anything!

Share this post


Link to post
Share on other sites

Just thought I'd also mention about self-assigned certificates is that every time a user attempts to access a page/site with self-assigned certificates, the browser will give the user a warning and that can be an annoyance to your users. The good thing is if the user knows it's all good to continue, they can select the option of not being warned again for that page/site(depending on the browser) but I guess the best way to not have that prompt appear at all is to get a certified certificate somewhere.

 

I thought about it too but after doing some research on it, it's suggested only really if you're site is going to have sensitive info taking place like credit card transactions, etc. In your case, it's not a bad idea to get a certified certificate either but since you're not handing extremely sensitive info, I would go for those cheap ones like in the link you provided. :good:

Share this post


Link to post
Share on other sites

That's something that concerned me. I don't want to make the website difficult for users to utilize; I want to avoid unnecessary annoyances like that. So a certificate from a CA is probably the best way for me to go. Thanks for mentioning that, Don!

Share this post


Link to post
Share on other sites

Fmdpa,

 

I experimented a bit with SSL by getting a free one at the site you provided in your first post. I'm on a dedicated server so not sure how to configure for a shared host server but managed to set up the free SSL certificate from that site with no annoying pop ups warning the user they are about to enter using a unverified certificate. So far Chrome and Firefox have not given me that warning with the free certificate. It's only free for 90 days. Basically it gives you an idea of what it's like to have an actual verified certificate which it is but expires in 90 days. It allows you to experiment with it, etc, which is pretty cool because it was a good learning experience to set up SSL on the server if I ever decide to get one. (I have disabled it in the meantime.)

 

One of the things I noticed though and can be a headache depending on how big your site is, if you have scripts(like jQuery, etc) that link to your web pages via http protocol, the browser will give a notice to the user usually in the form of a "shield" icon telling the user that the browser blocked some scripts. This is because the site is HTTPS and the scripts link to the pages via HTTP. All you basically have to do is go and change those HTTP to HTTPS but a problem with that is that some linked scripts can only be linked/accessed via HTTP and not HTTPS. Luckily most third party scripts, like jQuery etc are also served via HTTPS but the headache part is actually going through each of your pages and changing the links to HTTPS so you don't get the shield icon telling users scripts were blocked and basically losing some functionality to your webpages since those scripts are necessary for things to function properly.

 

Good luck with whatever you decide upon.

Edited by Don E

Share this post


Link to post
Share on other sites

Thanks for posting your observations, Don. I wonder if it would be possible to link to resources using the URL syntax that Google CDN uses:

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
I'm assuming that would automatically prepend the current protocol. Of course, this wouldn't work if certain resources could only be served over HTTP. I may get a totally free certificate from StartCom. So far, it seems to be the best free option I have found. I think this site uses it, and the HTTPS aspect of the site has functioned just fine for me. Edited by Fmdpa

Share this post


Link to post
Share on other sites

Hey, yes that would prepend the current protocol. You're also right about about that not working if certain resources are only served over HTTP(with googleaspis, they server with HTTPS as well). One suggestion I read and probably the best is to simply upload all files that you need to your server. One problem with that is, depending on the library, it may be difficult to isolate what you specifically need so you don't have to upload unnecessary files etc that just take up space, etc.

Share this post


Link to post
Share on other sites

I did discover that on my club's hostgator shared hosting account that I have a shared SSL option available by using an alternate URL.

 

Now I wonder how often the SSL option might be unavailable or might offer poorer response times?

Share this post


Link to post
Share on other sites

I don't see a reason why SSL on the server would stop working, we use several wildcard SSL certificates on our servers and there are no issues with it suddenly becoming unavailable.Any time you add additional processing, such as encryption, there is overhead associated with it. HTTPS requests for a given piece of content will always be a little bit slower than HTTP requests for the same content, but not by much. You can benchmark it if you want to. Everything is a tradeoff. You spend a little more time processing the request, but in return you gain encryption. It's like compression. The server and browser can spend a little extra time compressing and decompressing the response, but the tradeoff is that the response is smaller. When the time to compress and decompress is less than that the time to download the uncompressed file, then compression is worth it. It's up to you to decide if the time difference that you can measure (if you can even measure the difference reliably) is worth gaining encryption.Personally, I've never bothered to test that. I want encryption, so I enable it and test the site. It still runs quickly, I don't detect any noticeable slowness due to encryption. The 16-core Xeon servers of today are not the same servers that were around when encryption was introduced.

Share this post


Link to post
Share on other sites

Well, on these cheap shared-hosting servers sometimes everybody in a forum will start complaining that the system response time was terrible during a certain period of time. I don't know if SSL might have an effect on loading. I am going to try to log unusual response times and other strange events.

Share this post


Link to post
Share on other sites

Well, on these cheap shared-hosting servers sometimes everybody in a forum will start complaining that the system response time was terrible during a certain period of time. I don't know if SSL might have an effect on loading. I am going to try to log unusual response times and other strange events.

I think that's something to consider before SSL overhead...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...