OpenSSL

Rails
1

Hello anyone used OpenSSL before?

Why do we need to pay for expensive SSL certs when there is OpenSSL
which is provided free? Is there a difference?

I’ve got an ecommerce website, and wondering if OpenSSL is enough?

Your thoughts will be appreciated

2

On Sep 8, 7:24 am, Christian F. [email protected]
wrote:

Hello anyone used OpenSSL before?

Why do we need to pay for expensive SSL certs when there is OpenSSL
which is provided free? Is there a difference?

I’ve got an ecommerce website, and wondering if OpenSSL is enough?

Your thoughts will be appreciated

Openssl is a library for performing various encryption tasks, so
(other than the fact that it can manipulate them) it hasn’t got much
to do with ssl certs. The problem with a self signed cert (which
openssl can generate for you) or something like a cacert is that most
users won’t have the root certificate on their machine so will see a
‘untrusted certificate’ warning when they visit your site (and of
course this also means that you’re open to a man in the middle type
attack)

Fred

3

My domain registrar has Geotrust RapidSSL for $10 / year. Is this good
enough SSL? Any other recommendations?

On Sep 8, 3:01 pm, Frederick C. [email protected]

4

Openssl is a library, what you pay for is, a certificate from a know
certificate authority that is , a certificate created by someone like
verysign because all browser know them and will not alert the user that
the
site is unknown/untrusted, so if you create you own certificate with
openssl
and you have an ecomerce site it will be a problem since all the browser
will alert users that your site has an untrusted certificate and most
user
will not continue to your site, so that is why you have to buy a
certificate
from a known CA. Verysign is expensive but there are cheaper know CAs

5

The two ends of the spectrum:

  • Verisign (http://www.verisign.com/): probably regarded as one of the
    most trusted SSL providers, but it certainly reflects in their pricing
  • StartSSL (http://www.startssl.com/): even provides a free
    certificate (trusted by browsers afaik), it’s more limited of course,
    but hey, that’s what free will give you

RapidSSL leans more towards StartSSL than Verisign. Also don’t forget
you need a dedicated IP in order for your certificate to work properly!

On 08 Sep 2010, at 10:08, Christian F. wrote:

Why do we need to pay for expensive SSL certs when there is OpenSSL
users won’t have the root certificate on their machine so will see a
‘untrusted certificate’ warning when they visit your site (and of
course this also means that you’re open to a man in the middle type
attack)

Best regards

Peter De Berdt