Has anybody used openSSL before to secure a connection? Will this take the place of me having to purchase a certificate so that I can use SSL? What are the pros and cons?

I don't claim to be an expert here, but this is what I think I know based on using cURL and what I end up advising users of my software who are trying to post to a page at an https address.

You don't need an SSL cert on your server to handle an SSL cert on another server. Here, in extremely simplified form, is how SSL works:

1) A site make a special number available to everyone known as it's "public key". With many of these keys comes a certficate authority which effectively says, to varying degrees, "I know this company/person."

2) A browser or PHP application or an other application makes a connection to that webpage using the https method.

3) The request uses the special number from step 1 above to encrypt the webpage or web request.

4) The page that hosted the initial certificate uses a private number that can't be figured out from the public number to decrypt the message.

So, as you can see the whole method only depends on your ability to use the public key to encrypt something being sent to a server. cURL is something that handles that for you as well as the ftp functions and file_get_contents -- depending on what your server has installed.

i can set up SSL on my server and it (i think) works and i can use https but i get the whole thing with IE7 and error msgs etc goin this site oculd be unsafe.
and i would have to pay to get it so that they just do it and know im safe?

So is there any free way to do it?

you getting those errors because the initial cert that you set up is an unsigned certificate. That means that you're browser doesn't know if you should trust it or not, because it was signed be the same person who made the site. To get rid of this problem, you could purchase a signed certificate from a well known company. I use Thawte SSL 123 and I haven't had any issues with it. There are many others, Verisign is another, but make sure to see if there included in the major browsers.

For SSL I use GoDaddy which is much cheaper. You can also look at http://www.cacert.org/ , but they're not part of the default list.

So, you're probably asking what this list is all about. In short, each browser comes with a collection of companies that it "knows" and "trusts" to issue secure certificates. If a certificate is issued by one of these Certificate Authorities (CA), then the page is transmitted using the certificate and the end user doesn't know anything's even going on. If, however, the CA is not in that list, then a popup or warning happens to the user who must then click through to accept the certificate. The ONLY reason you buy a secure cert is so that box doesn't popup - it's one of the few actual confirmed conspiracies out there. There is ZERO added security that you get from paid certificates. Now, there are those out there who will tell you that fake SSL certs can be used to steal data, but AFAIK to use such a cert would require access to the server hosting the cert which means they can do whatever they want, so I don't see any advantage there. Disagree? I don't care. Agree? Then check out http://www.cacert.org/ which is working to break the effectiveness of the conspiracy while maintaining all the advantages.

ok just correct me if im wrong here.. when you buy a cert do they actaully check your safe? and "trusted"??

Dan

If it's just a domain check SSL cert, they basically just try to secure your connection and certify that the url that appears on your browser is the same site you are browsing. They do not check if you are a legitimate company or just a scammer. But they do offer High Assurance SSL certificate that checks if it's a legitimate company.

You can also issue your own cetificate but just like what JeremyMiller says if you are not on the list of Certificate Authorities... the users browsing your site will be notified that the certificate is issued by somebody they do not trust and ask them if they want to continue. Lol.

Depending on the CA, they check various aspects of your company depending on the certificate that you pay for. All that really means is 1) you can use their logo that shows how well they know you, 2) you pay more, and 3) the popup irritant isn't exposed to your customers. There's absolutely NO difference in the level of encryption provided and so long as the secure cert comes from ANY default-recognized CA you won't get the popup -- which cert you buy doesn't matter at all in 99.999999999999% of cases. There may be a random moron out there who checks it all and will base their online sales on the certifcate level, but they are, as I said, morons.

Secure certs don't mean ANYTHING WHATSOEVER about security!!!! Let me give an example: If you pay for the best secure cert from Verisign and you either

1) Process payments through your payment processor and don't store any of the credit card information to ensure absolute security of the credit card information; or

2) store everything about a credit card process including the CVV, address, cc #, and everything else

... Guess what!!! You get the exact same level of encryption!! AND at THOUSANDS OF DOLLARS in difference!

I'm NOT bullsh*itting you here - I've literally seen databases which contain peoples' CVV along with credit card and billing address in unencrypted format. The secure cert doesn't prevent them from storing that information at all. They've also had passwords of fewer than 10 characters and all letters stored using an MD5 hash which means only 26^10 possible combinations which a computer can check against in a matter of seconds to minutes to hack! It's absolutely ridiiculous!

That leads me to this very, very important point for people who buy online:


NEVER GIVE YOUR CC # ONLINE -- USE THOSE ONE-TIME CC #'S THAT MOST CREDIT CARD COMPANIES WILL ISSUE.

CYA!!!

For website owners who absolutely don't want a popup (or worse) to stop visitors from coming to their site, BUY THE CHEAPEST CERT AVAILABLE FROM A CA THAT'S INSTALLED IN IE BY DEFAULT!!! You risk absolutely nothing by going cheap here!

The SSL market is a ripoff IN ABSOLUTELY ALL CASES!!! Don't let them steal money from you to promote a racket that ought not to have existed from the very beginning.

i cant afford to pay out for one, i belive i have a shared ssl on the server so i should be able to use it, i think i just have to use it like ip.ipi.pip.ip/~dan/sslfile.php

which is gay