自签名 SSL 证书或 CA? [英] Self-signed SSL Cert or CA?

问题描述

我希望对我网站的身份验证和注册部分进行加密(出于显而易见的原因).这个网站是目前和我的一些朋友从中学开始并且今天仍在使用的旧网站.在不久的将来，我可能会也可能不会将其注册为非营利组织，但无论哪种方式，CA 都要花钱，而该组织没有任何资金，而且我们目前是大学生.

I would like to have the authentication and registration parts of my website encrypted (for obvious reason). This site is currently and older site which some friends and I started in middle school and still use today. I may or may not register it to be a Non-Profit Organization in the near future, but either way, a CA costs money and the organization doesn't have any and we are currently college kids.

Verisign 不合理，GoDaddy 30 美元/年.GoDaddy 不是太不合理，我认为他们的证书被大多数网络浏览器接受.GoDaddy 的问题是我不知道为什么他们有不同的 SSL 产品(即:为什么不验证我很便宜?这是否对证书有任何影响以及浏览器如何处理它，如果它只包含一个域名?)

Verisign is unreasonable and GoDaddy is $30/year. GoDaddy isn't too unreasonable, and I think their certs are accepted by most web browsers. The thing with GoDaddy is that I don't know why they have different SSL products (i.e.: why is it cheap to not verify me? does this have any implications on the cert and how the browser treats it if it just contains a domain name?)

另外，使用我自己的证书有问题吗?登录页面是否可以是 http，并且有一行说明我使用自签名证书，这是指纹，然后将表单发布到 https 页面?Safari 的方法还不错，也不算太吓人.但是，我担心 Firefox 3 的方法会吓跑人们，并给我发送大量电子邮件，说我的网站被黑客入侵了之类的.我不知道 IE 如何响应自签名证书.(还有一个问题，为什么要为我可以不费吹灰之力自己创造的东西付费，但我不打算提出它的哲学部分，这是一个更实际的问题.)

Also, is there an issue with using my own cert? Could the login page be http, and have a line stating that I use a self-signed cert and here is it's fingerprint and then post the form to an https page? Safari's method isn't too bad or sound too scary. I'm afraid, however, that firefox 3's method will scare people away and give me a tonne of emails saying that my site is being hacked or something. I don't know how IE responds to self-signed certs. (There is also the issue of why pay for something I can create myself with no effort, but I'm not going to pose the philosophical part of it, this is a more practical question.)

总而言之，我是每年给 GoDaddy 30 美元，还是只是用一小段话告诉人们我在做什么，然后给少数真正想要我的指纹的人?

In sum, do I give GoDaddy $30 a year or do I just tell people in a small paragraph what I'm doing and give the few people that will actually want my fingerprint it?

我在论坛上阅读以获取更多信息的一些人提到，只有在 GoDaddy 服务器上才会提供 GoDaddy 证书，而事实并非如此.两件事:(1)这是真的吗?还有其他CA的价格差不多，所以论点应该还是一样的.

Some on a forum I was reading for more info mentioned that GoDaddy certs are only given if it's on a GoDaddy server, which this isn't. Two things: (1) is this true? and There are other CA's at about the same price, so the argument should still be the same.

推荐答案

SSL 证书解决了两个目的:流量加密(至少对于 RSA 密钥交换)和信任验证.如您所知，您可以使用(或不使用，如果我们说的是 SSL 3.0 或 TLS) 任何自签名证书来加密流量.但是信任是通过证书链实现的.我不认识你，但我相信威瑞信(或者至少微软相信，因为他们已经支付了很多钱来默认安装在他们的操作系统中)，而且既然威瑞信信任你，那么我信任你也.因此，当我在 Web 浏览器中访问这样一个 SSL 页面时，不会有可怕的警告，因为我信任的人已经说过你就是你.

The SSL certificate solves two purposes: encryption of traffic (for RSA key exchange, at least) and verification of trust. As you know, you can encrypt traffic with (or without, if we're talking SSL 3.0 or TLS) any self-signed certificate. But trust is accomplished through a chain of certificates. I don't know you, but I do trust verisign (or at least Microsoft does, because they've been paid lots of money to get it installed in their operating systems by default), and since Verisign trusts you, then I trust you too. As a result, there's no scary warning when I go to such an SSL page in my Web browser because somebody that I trust has said you are who you are.

一般来说，证书越贵，发证机构的调查就越多.因此，对于扩展验证证书，请求者必须提交更多文件以证明他们就是他们所说的人，作为回报，他们会在现代 Web 浏览器中获得一个明亮、快乐的绿色条(我认为 Safari 对还不错).

Generally, the more expensive the certificate, the more investigating that the issuing certificate authority does. So for the Extended Validation certificates, the requesters have to submit more documents to prove that they are who they say they are, and in return they get a bright, happy green bar in modern Web browsers (I think Safari doesn't do anything with it quite yet).

最后，有些公司与威瑞信这样的大公司合作，纯粹是为了品牌名称；他们知道他们的客户至少听说过 Verisign，因此对于在他们的在线商店购物的人来说，他们的印章看起来比 GoDaddy 的要少一些.

Finally, some companies go with the big boys like Verisign purely for the brand name alone; they know that their customers have at least heard of Verisign and so that for people shopping on their online store, their seal looks a little less sketch-ball than, say, GoDaddy's.

如果品牌对您来说并不重要，或者您的网站不容易受到网络钓鱼攻击，那么您可以购买的最便宜的 SSL 证书在大多数 Web 浏览器中默认安装了根目录就可以了.通常，所做的唯一验证是您必须能够回复发送给 DNS 管理联系人的电子邮件，从而证明"您拥有"该域名.

If the branding is not important to you or if your site is not prone to phishing attacks, then the cheapest SSL cert that you can buy that has its root installed in most Web browsers by default will be fine. Usually, the only verification done is that you must be able to reply to an e-mail sent to the DNS's administrative contact, thus "proving" that you "own" that domain name.

您可以在非 GoDaddy 服务器上使用那些便宜的证书，当然，但您可能必须先在服务器上安装一个中间证书.这是一个介于 30 美元的廉价证书和 GoDaddy真正交易"根证书之间的证书.访问您网站的 Web 浏览器会像嗯，看起来这是用中间件签名的，你明白吗?"需要 可能需要一次额外的旅行.但随后它会从您的服务器请求中间件，看到它链接到它知道的受信任的根证书，并且没有问题.

You can use those cheap-o certificates on non-GoDaddy servers, sure, but you'll probably have to install an intermediate certificate on the server first. This is a certificate that sits between your cheap-o $30 certificate and the GoDaddy "real deal" root certificate. Web browsers visiting your site will be like "hmm, looks like this was signed with an intermediate, you got that?" which requires may require an extra trip. But then it'll request the intermediate from your server, see that it chains up to a trusted root certificate that it knows about, and there is no problem.

但是如果您不允许在您的服务器上安装中间件(例如在共享托管方案中)，那么您就不走运了.这就是为什么大多数人说 GoDaddy 证书不能在非 GoDaddy 服务器上使用的原因.不正确，但对于许多场景来说已经足够了.

But if you are not allowed to install the intermediate on your server (such as in a shared hosting scenario), then you are out of luck. This is why most people say that GoDaddy certs can't be used on non-GoDaddy servers. Not true, but true enough for many scenarios.

(在工作中，我们为在线商店使用 Comodo 证书，并使用 30 美元的廉价 GoDaddy 证书来保护与数据库的内部连接.)

(At work we use a Comodo certificate for our online store, and a cheapo $30 GoDaddy cert to secure the internal connection to the database.)

编辑斜体以反映下面埃里克森富有洞察力的澄清.每天学习新东西！

Edited in italics to reflect erickson's insightful clarifications below. Learn something new every day!

这篇关于自签名 SSL 证书或 CA?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！