Development Secure Site Certificates? https://

Discussion in 'Software' started by OneSeventeen, 6 Jan 2005.

  1. OneSeventeen

    OneSeventeen Oooh Shiny!

    Joined:
    3 Apr 2002
    Posts:
    3,454
    Likes Received:
    2
    We need to get people to enter their Social Security Numbers on a form because we still operate in the dark ages. (in the next year or 3 we should be going away from this, but for now...)

    So there is an obvious need to encrypt form data. And I am under the impression that is just what https does. It does not mean the server is secure, just that the data will be encrypted instead of transmitting back and forth in cleartext.

    I noticed storing it as a cookie even over a secure connection is in cleartext, but if it is being encrypted while going to and from the server, I may just save it on the server in a session and be sure to remove the file after the user clears the session.

    Any tips?

    If this is what a certificate does, how do I implement them on my mandrake box? I can already use https:// for my site, but it gives me the warning of not having a valid certificate, so I'm assuming it is a matter of "plugging the certificate in" to apache.

    Also, who do you reccommend, it seems we use thawte for one of our servers, but I seem to see verisign on larger corporate sites. Any reccomendations?
     
  2. Hwulex

    Hwulex What's a Dremel?

    Joined:
    1 Feb 2002
    Posts:
    4,007
    Likes Received:
    1
    You get the warning message because you haven't bought an actual SSL certificate, you're just running with a dummy one. I think we use verisign for ours. :thumb:

    This is how we build our installations:
    Code:
    # gunzip < openssl-xxx.tar.gz | tar xvf -
    # cd openssl-xxx
    #./config --prefix=/usr/local/ssl
    # make
    # make test
    # make install
    # cd ..
    
    # gunzip < mod_ssl_xxx.tar.gz | tar xvf -
    # cd mod_ssl_xxx
    # ./configure --with-apache=/path/to/apache_xx [source tree, not installation]
    # cd ..
    
    # /usr/local/apache/bin/apachectl stop
    # cd apache-xxx
    # SSL_BASE=../openssl-xxx
    # ./configure --enable-module=ssl --activate-module=src/modules/php5/libphp5.a --enable-module=php5 --prefix=/usr/local/apache --enable-shared=ssl
    # make
    # make certificate
    # make install
    We actually do
    # make certificate TYPE=existing CRT=/root/certs/domain.tld.crt KEY=/root/certs/domain.tld.key

    But that's 'cause we made them before, you possibly won't have the certificate or key files.
     
  3. OneSeventeen

    OneSeventeen Oooh Shiny!

    Joined:
    3 Apr 2002
    Posts:
    3,454
    Likes Received:
    2
    Well, I found the manual on Apache's website and a nice how-to, so I've got a test certificate from thawte running (to see how it works).

    It already had openssl and mod_ssl installed, so the only problems I had was remembering to change the mod_ssl config files, not the httpd2.conf files.

    The other huge screwup I made was it asked me for the Common Name (for example YOUR name) so I typed in MY name.... Apparently thats where my domain name should have gone.
     
  4. OneSeventeen

    OneSeventeen Oooh Shiny!

    Joined:
    3 Apr 2002
    Posts:
    3,454
    Likes Received:
    2
    Oh, I almost forgot, using https with a good certificate the data will be transmitted encrypted, right?

    I mean, that's the point of SSL, isn't it, to not send data via cleartext?

    I just want to make sure we are covering our bases.
     
  5. TheAnimus

    TheAnimus Banned

    Joined:
    25 Dec 2003
    Posts:
    3,214
    Likes Received:
    8
    SSL uses public/private method.
    (sometiems called A/B).

    The best analergy for this is you send a treasure chest open, they place their secret in it, close the cheast and send it back to you, the key never leaves ur keep.

    This all relays on P=NP
    (if you solve this, you get a $ 1 MILLION.) RSA have lotsa stuff explainign this somewere.
     

Share This Page