For most serious applications of SSL, not really...
Imagine you went to buy a book at Amazon and when you clicked on "checkout", you got a
warning saying, "we're having a problem with our server and so you might get a browser warning
about site name not matching certificate. Don't worry, just carry on and type in your credit card
number anyway..." - would you?
I guess if you have a limited application where the server holds the
confidential data and the clients are just browsing it and there's no
conceivable risk of anyone impersonating the server to serve up false data,
then maybe it would be enough. But if the clients have anything confidential to
submit, you really need authentication as much as encryption - put it another
way, if you send your money off in an armoured car, you'd better make sure the
driver really goes to the bank.
The most we're talking about here is a username/password for
forums/ftp/webmail. I definitely don't have the infrastructure in place
for any serious e-commerce sites, nor would I want that kind of
responsibility placed on my home business at this stage.
I'm curious, though, about your cautionary statements. In what way
could this setup potentially be abused? Assume that the only people who
use any SSL-encrypted services on my secondary domains are fully aware
of my primary domain and know that I am the one handling their hosting.
Thus, when they receive a warning message about their certificate,
they'd see my name and know it's OK. Is there a way for a 3rd party to
abuse this and hijack their data?
The only thing I can think of is if someone messed with their DNS so
that they go to another server pretending to be me. But, even with
authentication, the only way to truly prevent that would be to use
"trusted" certs, which cost, what, $200? (something I don't have at the
moment) As long as I'm self-signing, anyone can self-sign and pretend
to be me.
Regards,
David P. Donahue
[EMAIL PROTECTED]
http://www.cyber0ne.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
