Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 11 Jul 1998 05:54:37 +0100 (BST)
From:      Glynn Clements <glynn@sensei.co.uk>
To:        "Numard (Norberto Meijome)" <numard@smartmedia.com.ar>
Cc:        FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: Secure commerce?
Message-ID:  <13734.61453.441391.493813@cerise.sensei.co.uk>
In-Reply-To: <35A6D02E.C9E4D556@smartmedia.com.ar>
References:  <35A6D02E.C9E4D556@smartmedia.com.ar>

next in thread | previous in thread | raw e-mail | index | archive | help

Numard (Norberto Meijome) wrote:

> i'm interested in setting up an https server to do web commerce. The
> server is in USA. I'm actually running apache. I was planning to install
> apache-ssl (w/ ssl-Leavy).
> Now, what would be the right procedure to follow? do i have to get a
> server-id from verisign or can i create my own with the ssl-leavy soft?

You need to have your public key certified by an authority which is
recognised by the popluar web browsers if you want Joe User to trust
it. Otherwise the browser will pop up a warning saying that it doesn't
recognise the certifying authority, which is enough to scare off the
average user.

There was talk on slashdot.org that VeriSign were giving up their
boycott of Apache-SSL. However, I believe that the recent browsers
recognise other authorities (e.g. Thawte), most of whom are cheaper
than Verisign.

> Any known problems with apache 1.3 + ssl?

A potential weakness in existing SSL implementations was posted to
BugTraq within the past week or so. However, it requires approximately
one million connections to retrieve a single session key. So it's more
of a theoretical concern than a practical one. Also, a fix is already
available for SSLeay.

-- 
Glynn Clements <glynn@sensei.co.uk>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13734.61453.441391.493813>