OpenSSL New Trusted Root Certificate PHP/HTML Integration

[Peter Anastos]

I want to set up my website to use my OpenSSL generated root certificate -
and I intend on being a real certificate authority to clients. Once the root
certificate is installed the SSL certificate for the hostname issued from
that CA is accepted without warning by most browsers at standard settings.

Apparently, what I need to do is to silently test if an SSL connection will
be accepted by the client. (I have seen this in action when I installed the
software I am using this for, ZenCart, it tested whether an SSL connection
could be created or if it times out during it's PHP-Based installation. I
believe it uses Curl for PHP Security, but I don't really know what that is
to be quite honest.)

So, once I do the test, assumedly via php and/or in conjunction with
OpenSSL, I can have php/html send the file for downloading and installing by
end users, and then automatically continuing to the login & signup page (the
first SSL page the user would encounter), rather than encounter that absurd
IE7 "DO NOT CONTINUE TO THIS WEBSITE!" warning (excuse the exagguration)
which may scare off *many* clients for my line of work. Explaining
installing a root certificate that is done via the method I have in mind
would be far less difficult or troublesome.

I appreciate all assistance greatly. Thank you in advance.

Peter

 

[Jerry Stuckle]

I want to set up my website to use my OpenSSL generated root certificate -
and I intend on being a real certificate authority to clients. Once the
root
certificate is installed the SSL certificate for the hostname issued from
that CA is accepted without warning by most browsers at standard settings.

Apparently, what I need to do is to silently test if an SSL connection will
be accepted by the client. (I have seen this in action when I installed the
software I am using this for, ZenCart, it tested whether an SSL connection
could be created or if it times out during it's PHP-Based installation. I
believe it uses Curl for PHP Security, but I don't really know what that is
to be quite honest.)

So, once I do the test, assumedly via php and/or in conjunction with
OpenSSL, I can have php/html send the file for downloading and
installing by
end users, and then automatically continuing to the login & signup page
(the
first SSL page the user would encounter), rather than encounter that absurd
IE7 "DO NOT CONTINUE TO THIS WEBSITE!" warning (excuse the exagguration)
which may scare off *many* clients for my line of work. Explaining
installing a root certificate that is done via the method I have in mind
would be far less difficult or troublesome.

I appreciate all assistance greatly. Thank you in advance.

Peter

Peter,

This has nothing to do with PHP. The certificate is handled completely
between the browser and the web server.

As Viza indicated - any browser will flag your site because they don't
recognize the certifying authority. This is a security issue for users
- for all they know, you could be a hacker or whatever. There is no
validation of who you are to get an openssl certificate.

That's where the verisign, thwate, etc. come in. They perform at least
a little verification on who you are before issuing the certificate.

But you need to follow up in a more appropriate newsgroup. alt.php is not.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
(e-mail address removed)
==================

 

[Peter Anastos]

I have to disagree with both of you, quite strongly (no offense meant to you
Jerry.) Your insult (viza) is ironic and unnecessary, but I am going to hold
my tongue.

There is no argument that a certificate issued by ANY operational
certificate authority, that isn't on the website's host machine, as mine is
(solely to check for revokations), signed for use by my URL, which mine is
(so they know it is indeed my own certificate,) is any less secure than one
provided by a "trusted" certificate authority. Why? The answer is why not!

Well what if it's some hacker, you say? That makes no sense! If you trust
the website, quite explicitly by providing your personal details to it, then
you should trust a certificate provided by that website! (that meets the
normal standards - can be checked for revokation, and is for the URL it says
it is for, which any browser will test for you if you actually install the
certificate.) Instead IE7 just says "NO!" and you don't get to see whether
it is a real certificate for the site and people go around the single
warning, creating a less secure Internet all around.

If you wouldn't trust a proper certificate issued as I have described by the
host's own CA, then you should not be giving your personal details to the
site. It certainly doesn't create any less of a secure SSL connection. Any
SSL/PKI issues with the certificate is prominently displayed when you go to
install the certificate - like it being issued for a different website or
doesn't provide for enough security - instead of saying "only Microsoft's
trusted CA list is acceptable" in the strongest way possible by IE7. It is a
huge money making scheme.

SSL as currently implemented is a huge ball of smoke used to make a crapload
of money selling "trusted" SSL certificates that cost downright *offensive*
amounts of money. It is a ludicrously overpriced system that, clearly, most
people do not understand. It pisses the hell out of me, so excuse the rant.
I hope a flame war doesn't erupt. And hell, if you can tell me why I am
wrong, go ahead, I will accept legitimate logic in defeat. But I don't think
there is any.

And, for the record, I was asking for a way to script something that has
nothing *directly* to do with the authenticity of SSL/CA Certificates. It is
also something that IS done legitimately for some notable sites by people
with more than "2 brain cells" at the current time.

Peter

----- Original Message -----
From: "Jerry Stuckle" <[email protected]>
Newsgroups: alt.php,alt.html
Sent: Tuesday, June 17, 2008 9:15 PM
Subject: Re: OpenSSL New Trusted Root Certificate PHP/HTML Integration

 

[viza]

I have to disagree with both of you, quite strongly (no offense meant to
you Jerry.) Your insult (viza) is ironic and unnecessary, but I am going
to hold my tongue.

I didn't say that you were stupid, I said what you were trying to do was
stupid. If you take that as an insult then I apologise.

There is no argument that a certificate issued by ANY operational
certificate authority, that isn't on the website's host machine, as mine
is (solely to check for revokations), signed for use by my URL, which
mine is (so they know it is indeed my own certificate,) is any less
secure than one provided by a "trusted" certificate authority. Why? The
answer is why not!

You have still misunderstood the purpose of a certificate. As much as I
hate to say it, IE is right and you are wrong. Look it up:

http://en.wikipedia.org/wiki/Man_in_the_middle

Well what if it's some hacker, you say? That makes no sense! If you
trust the website, quite explicitly by providing your personal details
to it, then you should trust a certificate provided by that website!

No, no, no.

Suppose I trust https://mybank.com/, because I saw a poster behind the
counter in the high street branch with that address on it.

I go home and try to visit that site. My browser looks up mybank.com in
DNS, but someone is interfering with DNS and I get the wrong IP address,
or perhaps I get the right IP but someone is rerouting my packets to some
other machine that is spoofing that address.

If I accept a root certificate from any machine that offers me one, I
have no way of knowing if I am in communication with my bank or some
other machine.

If I only accept a certificate that is signed by a trusted authority (eg:
one that didn't come over the network, but came on a CD with a difficult
to replicate hologram on it) then I can have some confidence that whoever
can interfere with the network at large, they cannot eavesdrop or
interfere with my connection to the bank.

 

[Andy Dingley]

There is no argument that a certificate issued by ANY operational
certificate authority, that isn't on the website's host machine, as mine is
(solely to check for revokations), signed for use by my URL, which mine is
(so they know it is indeed my own certificate,) is any less secure than one
provided by a "trusted" certificate authority. Why? The answer is why not!

Of course it's less secure. Yours is self-generated, so isn't signed
by any "trusted" CA at all.

It's obvious that a non-signed cert isn't worth the paper it's written
on. Your real beef is that you don't much trust the big-name CA's to
sign it either, and not without reason (Matt Blaze's quote is
apposite).

If you want to set up "trust" without using Thawte, Verisign etc.
than look at doing it with PKI and a _web_ of trust (much better than
the Global Megacorp "Trustworthy because they're Big" CA model).
Search around the "Legion of the Bouncy Castle" (yes, really) for
tools to do this with Java.

PKI works for smaller groups of clued-up clients who use PKI and can
do the initial legwork beforehand. It works rather better in fact.

However for random web shopping from your Mom, it's big CAs or
nothing. Unless you're Dilbert.

 

[Andy Dingley]

Perhaps in the scope of security per se, but the whole "certificate
program" is just a bunch of crap, -a scam for unscrupulous entreprenuers to
make money,

To be fair to Mark Shuttleworth, the deeply-scrupulous entrepreneur
behind Thawte, he's taken this particular pile of money and spent much
of it on Ubuntu distros and spaceflight, two things I heartily
support. I guess the rest of it he just frittered away

 

[dorayme]

It's
like the astronomical rise in cigarette prices: yeah, sock it to the old-
timers who are really addicted and have trouble quitting and call it a
"fair" solution contrived by the politians

It is young women who have been taking up fags big time in many western
countries. And overall consumption is price sensitive so it is not a
stupid thing for governments to exercise a little control here.

They must keep it as high a price as possible without causing people to
resort to crime to obtain it.

By the way, Travis, here is a nice example where the zoom feature in
Opera (and I presume FF3 and IE7) comes into its own:

<http://www1.worldbank.org/tobacco/book/html/chapter1.htm>

I needed to zoom the diagram to read it properly. It is a badly made gif
in the first place, not only too small but not sharp. But here the zoom
helps out without having to do some precious Bergamot thing of getting
all in a huff and finding an alternative site.

 

[dorayme]

Ah, yes, you'd make a banner politician over here in dese States. The sad
thing is that many of the fools east of the Pacific believe it.

Did you study, to paraphrase your own words recently, "with both sides
of your brain", the link I gave you in that post you quote:

<http://www1.worldbank.org/tobacco/book/html/chapter1.htm>

?

 

[dorayme]

I do not deny the problem, it is the ersatz "solution" to which I take
exception. Overtaxing a cheap commodity whose use is officially
frowned-upon is not my idea of an erudite remedy. However, it does
provide a scintillating testiment of the actual intelligence of those
who rule the country. But as I intimated before, probably at least 50%
of the common masses subscribe to this crap as a viable methodology for
curbing what they consider to be nasty indulgences. The trouble is the
curb is inversely proportional to the free income of the indulger. Down
Democracy, up Capitalism!!

A reasonable assessment of the intentions behind severe taxes on harmful
products depends on understanding what they are and whether they are
likely to achieve their aims.

I have argued elsewhere that it is a disastrous policy to prohibit
completely or even to make it prohibitively expensive for people to
obtain the means to harm themselves. New home:

<http://dorayme.890m.com/opinion/drugLaws.html>

As for the question of putting a few hurdles in the way of people
obtaining the means to harm themselves, I am fairly confident that a
modern democratic state has some responsibility towards its citizens in
this regard and should be able to go as far as to adopt some price
sensitive controls. It is known from various studies that the take up of
many things like alcohol and cigarettes, on the whole, are price
sensitive.

Perfect justice and perfect equity are not possible and you will never
see the point I am making until you step back and look at things as
whole. Don't let the plight of the less fortunate members of society,
income-wise and otherwise, skew the picture as a whole.

 

[dorayme]

A very sophisticated reply; my hat's off to you.

You are sending me a hat? All I have ever wanted from you is hard cash
and a scoop from your brain.

However, although
perfect justice and equity may not be possible, when one ceases to strive
for same, even traditional justice and equity become lost to the myths of
the deluded. ...
if you wish to believe that governments have the right to unequally tax
its citizens for their supposed good, have at it. There is no surprise
in this at all.

Read the article above to see I don't sympathise with nanny government.

What you are missing almost for sure is cold hard things like it is in
the interests of everyone that they are not carrying people in society
that do not pay their way, so policies that discourage people from
ruining their health makes economic good sense. Since taxes on fags and
alcohol do have an effect on this (perhaps rather surprisingly to some
observers - mainly cynical ones that do not have faith in the good sense
of many human beings), it is prima facie, wise Govt policy.

Remember, governments collect our taxes and I am saying here that if
they do not collect these taxes on these products, they will end up
collecting more tax from other sources (like income tax) to pay for the
trouble caused by the over use of harmful substances. To pay for the
hospitals needed, the loss of productive capacity of it population and
so on.

I also believe there are some moral obligations on the community as a
whole to look out for its weaker members but you can leave this one out
for quite a while.

 

[dorayme]

But who's more likely to "pay their way", a dependable, working person
who can well-afford the price of cigarettes or someone who for some
reason has trouble holding jobs and resultantly has less free income?
What I'm supposedly "missing" seems to be a non-sequitur.

The point you are missing now is that on average, a person who is
variously incapacitated by legally obtainable substances (to limit the
scope of this little discussion) is more of a cost on everyone else than
someone who does not suffer such harm. If there is a way to reduce
consumption of such substances without hugely unwanted effects, then it
is a rational thing for a society to enact.

You might dispute all sorts of things in this, but it would be nice if
you could understand the point being made.

Damn, more dogma! Sure, higher prices have an effect on demand, -duh,
but "this" applied inordinately to cigarettes makes it wise govt policy?
-My ass. What'll be for sale next, -human rights?

Is your point that if a course of action is reasonable (taxing fags to
reduce consumption) and it looks a bit like another unreasonable course
of action (taxing the amount of air breathed), then that is sufficient
to make the reasonable course of action unreasonable?

 

[dorayme]

I really don't dispute that (-at least where there are the appropriate
social programs.)

As long as you count non-government help too. People do not stand
completely aside when fellow citizens need help just because the state
does not provide it. This help is still a cost to society even if an
aggregate of private action.

It depends on the "way", which is what we are discussing.

_My_ point is...well, see below.


That's it!

It is hard discussing something like this with someone who will simply
accept reductio ad absurdums. <g>

If a course of action is reasonable, then it is reasonable. Full stop.
Nothing else can make it unreasonable under the assumption that it is
reasonable. You do programming. You must understand scope.

My point is that taxing cigarettes (or anything else)
excessively to reduce consumption is NOT a reasonable action.

Why would you bother to make such a point or claim it for yourself, it
being simply tautological. If something is excessive, of course it is
unreasonable. That is what excessive means: unreasonably large.

I am talking reasonable taxes. Are you denying there are any reasonable
taxes for the express purpose of reducing consumption and using the
money to help pay for the services that such consumption will require?

Flat taxes
place an undue burden upon the lower-income members of society; why do
you think they have sliding-scale income tax? In short, the cigarette
tax is just another black mark on the democratic spirit of western
culture. It favors the rich man beyond the norm, which, of course, is
probably just what the politicians who promoted it intended.

Yes, this is a concern. But you need to know two things that may
alleviate your concern on this to some extent. The state does have an
option to tune the progressive taxes that already exist to counteract
this. And second, it is the poorer sections of the community who smoke
and drink more and so on. The richer folk that do, have the means to
make themselves not so much a burden. They have spare capacity to be
degenerate on the inside.

It may seem a bit unfair to you that some people should be able to more
easily be bad to themselves. But, let's face it, its damnable to be poor
in many ways.

 

[dorayme]

But does the treatment of people with smoking-related disorders really
cost any more?

Smoking gives you heart disease and cancer. But you get those anyway,
just maybe quite a few years later, if you don't smoke.

But you don't get fat later if you don't eat a lot. So your point cannot
be generalised to cover all self inflicted harms.

By shortening your life you may in fact be generously reducing the total
amount of state pension (where applicable) you get paid.

If your societies could really be hard and cold, and you had a lot of
time to evolve (which you have not got because the way everything is
going, earth is doomed) and weed out the weak, maybe you have something
going there.

But, lets face it, you people will not leave victims of self
afflictions alone. Your evolution has made many of you, not all, have
something called empathy and sympathy and pity.

The lives of the self afflicted will be prolonged, they will get
expensive treatment. But worse, your societies will lose the skills and
productive capacities of these folk. Many of the biggest drinkers,
smokers, eaters happen to be clever and useful.

It is reasonable to consider reducing their exposure to ill health and
to reducing their demise by taxation means for the moment till you can
steel yourself for harsher methods.

 

[BootNic]

On Sat, 21 Jun 2008 10:24:39 +0200 (CEST)
[email protected]

[snip]

That's it! My point is that taxing cigarettes (or anything else)
excessively to reduce consumption is NOT a reasonable action.

[snip]

They don't taxing cigarettes to encourage a smoker to stop smoking.
They tax cigarettes because it's an addition and they know that most
will pay more in order to get their fix.




--
BootNic Sat Jun 21, 2008 11:54 AM
I had a monumental idea this morning, but I didn't like it.
*Samuel Goldwyn*


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkhdJEkACgkQylMUzZO6jeI3FwCfRFhI9FzfLLbw/SjQojlbseQG
zYAAn1hxe952XYcwBlBeEgqYB9U7MeRF
=dnDJ
-----END PGP SIGNATURE-----

 

[dorayme]

They don't taxing cigarettes to encourage a smoker to stop smoking.
They tax cigarettes because it's an addition and they know that most
will pay more in order to get their fix.

Who is "they". When governments discuss this issue, not only treasury
but health, and when they seek advice from experts in various fields,
the issue I have been explaining comes up and is used. I can understand
folk can be cynical about it, they are about revenue from speed cameras
too, but it does not change the fact that the consumption of some
things, taken society wide, is price sensitive. So your remark that most
will pay for their fix needs to be seen in much richer context. More
people will also have less of whatever they are using or doing that is
bad for them, more will give up totally.

 

[dorayme]

Okay... So "Joe Blowitoff" who's pretty loose and can't hold a job gets
a small stipend from welfare. He spends it all on overpriced cigarettes
then goes out on the street begging for vegemite or whatever. Now how
does this illustrate that raising the price of cigs alleviates the burden
on society?

It does not illustrate the benefit. You cannot illustrate the benefits
by looking at some unwanted effects. Perhaps you suppose that good
government policy cannot have bad side effects. Happy dreaming of
another less real world than this!

....


... I _do_ pretty
much deny that any reasonable taxes are levied expressly to reduce
demand/consumption whether they are promoted as such or not. OTOH,
helping to pay for any services entailed, such as auto license fees
supporting the making of license plates, does follow.

The taxes on cigs are _far_ from reasonable, and while they may reduced
consumption, they do so illegitimately.


So the rich can indulge but the poor can't? -And by government sanction?

A reasonable government should not sanction the rich, a reasonable govt
should do what it can. And the only thing i have been saying is that it
seems reasonable to me that if the consumption of some things are price
sensitive and that we do not go down the road of prohibition, there is a
middle way to limit the damage that society suffers in this matter.

What this middle road is will naturally be a matter of controversy. One
must take a whole of society look at it. You have to ask yourself the
question, should there be any flat tax on anything at all.

I rather favour the idea of it all being flat and there being no income
tax at all and that redistribution be made on the welfare side rather
the taxation side. But don't get me going on that. <g>

 

[BootNic]

Who is "they".

BRANSON, Mo. -- A Branson man has put a face to the anonymous
references people often make to "they" by changing his name to just
that: "They."

http://www.sfgate.com/cgi-bin/article.cgi?file=/g/archive/2004/09/23/namechange.DTL

When governments discuss this issue, not only treasury but health,
and when they seek advice from experts in various fields, the issue I
have been explaining comes up and is used. I can understand folk can
be cynical about it, they are about revenue from speed cameras too,
but it does not change the fact that the consumption of some things,
taken society wide, is price sensitive. So your remark that most will
pay for their fix needs to be seen in much richer context. More
people will also have less of whatever they are using or doing that
is bad for them, more will give up totally.

Live is a silly little thing that some endure longer then others. The
really good thing about life in general is that it's fatal. As far as
anyone really knows, the purpose of life is to fail.

Another thing about life, the longer something is alive, the chance of
the next moment being fatal increases.

The bottom line is that anyone that reads this will now know for sure
who They is.




--
BootNic Sat Jun 21, 2008 9:11 PM
"Do not trust your memory; it is a net full of holes; the most
beautiful prizes slip through it."
*Georges Duhamel, The Heart's Domain*


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkhdptoACgkQylMUzZO6jeJWvACeJPnAUHw6QTztWocrnxw9mGKq
tlIAn2JEVYZ3Q/i5VnrhkELoZLncILBc
=jQNC
-----END PGP SIGNATURE-----

 

[dorayme]

Who is "they".

BRANSON, Mo. -- A Branson man has put a face to the anonymous
references people often make to "they" by changing his name to just
that: "They."

http://www.sfgate.com/cgi-bin/article.cgi?file=/g/archive/2004/09/23/namechang e.DTL

I am surprised he were able to get their application approved.

Another thing about life, the longer something is alive, the chance of
the next moment being fatal increases.

Maybe, it depends. The chances for tiger and lion and other wild animal
cubs goes counter to this.

 

[dorayme]

Jesus Christ!!

Okay, look; let's drop it. I've stated my position and given what I
consider are good reasons in support of same. If you're not having any,
so be it. I know you are an intelligent person and can work things out
for yourself. If nothing else, though, you should feel at least a little
guilty for promulgating an off-topic subject at length while I was
earnestly trying to bring about a neat and tidy resolution. For shame,
girl!

I can see you tire easily. And don't patronise me, you are the poor
schmuck here needing help. <g>

 

[dorayme]

Hey, I'm a cut-up; I admit it. It's more fun, and, besides, serious topics
are never resolved, anyway. They're ultimately boring, too.

As for patronizing you, I didn't even know you were open for business.

Oh yes, I am always open for business, do you want your beating with
bare knuckles or with a nice tight leather glove as in the service
provided to the psychopath in the sports stadium in Dirty Harry?