SSL question?

[darius]

Hello all,

From reading through the forum, I can see that SSL is allowed and that it is $18 for installation on the server plus the cost of the certificate from Verisign, Thawte, etc.

I would like to know if you support Open SSL?

If so, do we (website admins) just pay you $18 for the install of that package on the server?

In my particular case, I wanted to have secure transaction but my client did not want to pay for a third-party seal.

I figured Open SSL is a realistic option.

Please let me know if this is doable.

Regards,

Darius

[velvetgold]

I would also like to know if OPENSSL is supported.

......

[velvetgold]

Another option that may be of interest is mals-e.com

They offer a free secure server service for ecommerce transactions(but of course they put their link on the purchase cart) but they also offer a premium service at $6 per month. It includes all online tracking of orders and keeps everything organised.
You may manually collect the card numbers or you can integrate with a payment processor.

I might try them for a while to see if it works for one of my sites.

[darius]

I am looking for a SSL on the server without purchasing a retail certificate.

If Jim is unable to allow to run OpenSSL or some other open source SSL solution on the server, then my client will have to cough up some cash and pay Thawte or Veri$ign.

Darius

[velvetgold]

Apparently it's installed as a standard module on all servers.

I kind of got a one lined response, which basically said "yes we have it installed on all servers" but it would be great if they at least pointed us to a decent site explaining about how to use it.

I'm assuming this is the openpgp keys on Cpanel?

If anyone knows please let me know

[darius]

PGP and SSL are not the same.

SSL encrypts data during transport. Normally between a client web browser and the web server. SSL does NOT encrypt stored data.

PGP only encrypts stored data. An e-mail file, a normal file, a hard drive, etc. It does not encrypt the transmission.

You can use PGP to encrypt the sensitive data once it is on the server, but you still need a secure transmission method to get it there.


In any case, if anyone knows if we can get OpenSSL installed, please post an answer so that we will all know.

Best Regards,

Darius

[velvetgold]

I wasted a little time looking at sites about PGP and no it doesn't suit me either.

I hope that PGP is not the 'Open SSL' they were referring to that is 'a standard module' on the server.

I just want a padlock to appear at the base of the browser when the customer orders so they feel like the transmission is safe.

[Teri]

PGP is not SSL.

SSL stands for Secure Socket Layer.

If you understand networking, you'll know what a socket is. SSL is a way to transmit information through a secure socket connection between your web server and the computer running the browser connected to that server. SSL does this by using encryption. The best encryption available right now is 128-bit encryption. At least in the US.

This means that the server encrypts what it is sending out before it's sent. It also means that when it gets data from you via your browser, it instructs the browser to encrypt the data before sending it. So the encryption is happening on both ends.

Each end also has the capability of decrypting the information in order to display it to us humans who's brains can't handle the computation necessary to decrypt at a speed that is viable for information exchange. That's what allows your browser to show you what's going on. You don't see the gobbledy-gook that is happening underneath.

PGP is something entirely different, although it also uses encryption. PGP - which stands for Pretty Good Privacy - encrypts information/data and stores it in that encrypted form. Now, you can encrypt information then send it over non-secure channels. But it would require that the person or application on the other end is also using PGP and they have your public key (the other half of the private key you use to encrypt) in order to decrypt the message/information or whatever it is you sent.

You can also encrypt stuff you store on your server or your own personal computer and only decrypt it when you need to use it. A very good idea if you are going to store something like financial information in a database for instance.

They are two completely different, but similar things.

And some version of both is installed on the servers here.

[Teri]

Oh - and I forgot to add -

I don't know how to enable SSL on these servers. On the other webhost I use, the WHM panel has all the necessary functions available to enable SSL and set up a server for secure socket. It also allows me to generate an SSL certificate for the server.

The WHM panel here does not give you those options, so it has not been enabled here. It's a configuration thing.

I also have a webhost with Plesk, and SSL is enabled and managed through the Plesk control panel, as well as having certificates generated.

Be aware also that you need to have a static IP address to have your own certificate. You can use SSL on a shared server, but you will also be using a shared certificate. For some this is acceptable. For some this is not.

And where you get your certificate will also determine whether or not you need a static IP.

[velvetgold]

Has anyone got it working? Do we have to turn this module on somehow or do we need root access for this?

Can someone give us a few specifics for this server instead of 'yeah it's there... somewhere'

If it's there we'd like to use it...

Thanks for your reply Teri, but we just want some specifics so we can get a solution that we can use on the server.

[darius]

Thanks Teri,

But I started this post to inquire if we are able to have OpenSSL on Page-Zone servers. I am not not really interested in what other webhosting companies do as I am with Page-zone.

I know that we can have Thawte or Verisign or anyone else we wish, but my client was trying to save costs which is why I am asking about OpenSSL.

Thanks all.

Darius

[velvetgold]

What's the deal? How do we implement OPEN SSL on this server?

[Jim]

We support openSSL but you will need a dedicated IP.

Here is the stock answer from the help desk:

In order to enable SSL for a website you need to first purchase a dedicated IP from us for the site.
It is item #2000 at:
http://www.page-zone.com/paysystems

**********

Then fill in the following questions for the signing request:

Email Address the Cert will be sent to:
Host to make cert for (e.g. www.yourdomain.com):
Country (2 letter Abbrivation):
State:
City:
Company Name:
Company Division:
SSL Admin email (e.g. mail@yourdomain.com):
Password Desired:

************
You will then receive a signing request at the address given above within 12 hours.
Take the signing request to the certificate supplier of your choice. Choose "Apache + MOD SSL" as the server type when they ask.

One place to start looking for a certificate supplier can be here:

http://directory.google.com/Top/Comp...e_Authorities/

******************
Give them the signing request you recieved from us in plain text format. Give us the files that they give you back and we will install it on the server.

[stratplan]

looks like an old copy for openSSL may have a problem: here's the URL:

openSSL / Slammer advisory

I imagine Page-Zone is up to date tho.

[s_mack]

Sorry Jim.. found this thread after I used the help-desk to bug you... but the answer should go here since so many are looking.

The Q is basically the same as above...

We want to use SSL on our sites for secure transactions but we do NOT want to pay for a certificate. OpenSSL sounds like the answer, but we seem to have no idea how to actually implement it.

As well, what are the downsides to using an OpenSSL cer