[Dshield] Digital certificates

Roland Green rgreen at plannedbuy.com
Fri Oct 22 19:31:42 GMT 2004

You can buy a certificate from entrust for $150/year.  They also offer a free 60 day trial certificate http://www.entrust.com/freecerts/webcerts/index.htm

Hey, try not to get too emotional, all you have to say is thanks man!

Stephane Grobety wrote:

>AF> Our client uses a certificate to provide security in an SSL credit
>AF> card transaction. They are in the process of building a new web
>AF> site, using a different host and the certificate on the current
>AF> host may expire before the new site is ready. Rather than
>AF> recommend paying to renew a certificate which will only be needed
>AF> for a month or so, I'm contemplating a recommendation to leave the
>AF> expired certificate in place, and to notify anyone who inquires
>AF> about the upcoming site change. I just wanted to be sure such a
>AF> recommendation wouldn't "break" the site.
>Thank you for the details.
>I'm afraid that the answer to your question is: "yes, it will break
>the site". It won't break it much: users will still be able to get
>trough if they accept the security issue but you have several things
>to take into account:
>1/ The insurance that comes with the certificate will not be valid any
>more and you won't be able to turn against the certificate provider if
>someone somehow uses it to mount a MIM attack. This is of particular
>concern since the people that have the ability to mount such an attack
>(network admin at your site and people at the CA) are also the ones
>that are also the ones that will know about the problem.
>2/ It lowers the "security feeling". I, for one, would always advise
>users to refuse any connection that uses an invalid certificate
>whatever the reason. Users usually can't be trusted with making the
>right choice in that matter. I wouldn't use it either since it would
>show that the price the operator of the web site puts on securing it's
>data properly is the price of a SSL certificate renewal (i.e. a few
>hundred $). Weighted against the amount that can be pulled from my
>credit card should it be leaked, I would rather use a different
>supplier or use a different payment method, if no other supplier is
>So, you have a few options:
>1/ Change the hostname before the new site is ready and then simply
>switch the servers when you're done. Of course, you can't always do
>that (if you're using two different hosting providers, do not have
>control over the DNS and if the providers aren't willing to help you
>for an acceptable price, for instance).
>2/ buy a wildcard certificate. They are quite a bit more expensive
>than the regular ones, but you can run two (or any number of) hosts
>with the same certificate (i.e. "https://new.domain.com" and
>"https://old.domain.com" will use the same certificate and signature).
>3/ Bit the bullet and pay for the renewal. You might want to call your
>CA to ask them if they could offer you a discount on that particular
>cert but knowing how theses sharks are, I very much doubt that you'll
>get anything. Still, it's worth trying. And if it doesn't work, it
>should still be pretty cheap compared to your site's reputation and
>the cost of developing a whole new shopping web site.
>Good luck,
>DShield and the Internet Storm Center are sponsored by the SANS Institute.
>To learn more about current SANS training, see http://www.sans.org .
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list