Bill Walton said the following on 02/28/2007 01:36 PM:
I'm going to install SSL over part of my app and will be using a cert
from Geotrust. I'm considering two options: Quick SSL, and Quick SSL
Premium ( GeoTrust | SSL Digital Certificate Authority | Encryption & Authentication ). The
main difference is that QuickSSL has a static seal and the Premium has a
"Dynamic seal stating transaction is secure. Displays real-time date /
timestamp"
1) Does the seal go on all the secure pages?
2) Does the Dynamic seal pose any issues for Rails apps?
I'd really appreciate hearing from anyone with experience with this stuff.
Basically its all meaningless.
Go and real the POLICY documents behind them, the equivalent of the EULA and
liability declarations.
The issue of 'where' is policy. If you miss out a SSL page they are not
going to come and beat you up or take you to court for non-compliance.
The 'dynamic' seal is no different from any other such chunk of
javascript-enabled dynamic update, like a clock or weather indicator.
its not going to make your site more secure.
What will make you site more secure has little to do with SSL. Much has
been written on that and advising on it is about 30% of my business. There
are good books and papers out there; google and amazon are your friends.
SSL has many myths associated with it, and 'security' is one of them.
All it does is encrypt the link. Even this isn't very good as there are
many appliances sold as tools for corporate gateways that can spoof the
connection in a way that is really a man-in-the-middle attack.
If all you are doing is protecting what's going on over the wire then a
self-signed certificate is adequate. The Apache tools on my Linux box has
all the stuff needed. I did this once, long ago, to try it out but s slips
my memory right now.
What companies like Verisign are selling is a form of trustworthiness. Even
that is a chimera. Let me explain why.
When you visit a site that purports to be Amazon and carry out a financial
transaction you want to be sure that it really is Amazon you are dealing
with, as well as securing the electrons over the wire. But if anyone can
set up a self-signed cert then what? So we have 'certificate authorities'
like Verisign. The idea is that if the cert comes from Verisign then you
can trust it.
Why?
Well, Verisign _should_ have verified that the company applying for the cert
IS who they say there are, all the due diligence about their integrity,
business practices, how they secure their network, their programming
techniques, that they do own the domain and the IP addresses, and so on and
so on and so on. All the stuff that I audit for in my "day job'.
But the reality is that they actually sell a whole pile of grades of certs.
Some of them you just have to apply for and pay the money - the only thing
they check is that the credit card transaction goes through.
This is not a put-down of Verisign or any other cert authority. Its
marketing.
Read the licensing agreements. Unless they are doing a due diligence check
on you as a business then what you are getting offers no more protection
than a self signed cert.
However if you as a company need the marketing panash of displaying a known
"badge" on your pages, then that's another matter.
The issue is WHAT ARE YOU TRYING TO ACHIEVE?
The way you've worded your question is open. If its asking about technical
superiority, then technically ANY SSL certificate is equivalent to any other
- even a self signed one.