37

I would like to use https to login to my personal webpage (which is on shared hosting). So I went over to google and started searching for sollutions. Eventualy I found out that I need an SSL certificate to accomplish that (I thought it's all something that automaticaly enabled for each website, don't ask me why).

Then I went over to my hosting provider website and found out about the prices of these certificates... But I don't need something like that for my blog... I also found out that certificates can be self-signed, or obtained for free from certain certificate authorities.

What I'm wondering is - how should I approach this?
Since I'm the only one that's logging in there - should I generate my own certificate? Or get a free one from some CA? If yes - which CA? cacert maybe? Will it all stay transparent this way, or will I start getting warnings about custom and unverified certificate? Can I trust a solution like this?

Does it even make sense to try and do something like this if I'm using shared hosting? I mean, from what I've read - this certificate would have to be installed on the server, and not just put somewhere in my hosting folder (as I thought it would work).. and the hosting provider won't do this for free I guess because it's kinda not in their interest (in any case I asked them, and am waiting for reply)...

Should I just drop it, or is there anything I can do on my own?

tkit
  • 3,332
  • 6
  • 29
  • 36
  • 1
    Not quite duplicates, since this is a specific situation, but check out these questions for some more info: http://security.stackexchange.com/q/90/33 and http://security.stackexchange.com/q/146/33 – AviD Dec 15 '10 at 19:53

6 Answers6

38

I like using StartCom for a free certificate. Until mid-2016, it was recognized in most major browsers and is better than using a self-signed certificate (No error prompts for users).

EDIT 2016: Major browser vendors like Mozilla, Apple, and Google have announced they (and their browsers) no longer trust StartCom as a certificate authority, due to recently uncovered sketchy behavior by the certificate authority (see links in vendors names for their announcements of this and reason why).

Edit 2017: Let's Encrypt is now a great option for personal use and seems to be accepted even more widely than StartSSL was. Downsides to Let's Encrypt are the relatively short validity of the certificate (3 months) but that is not overly burdensome if you are able to take advantage of the automatic renewal they offer through some of their tooling.

jhulst
  • 593
  • 3
  • 5
  • +1 -- the only browser I have come across that did not support the certs from StartCom is the one on Android, though that appears to be fixed these days as well. – Michael Trausch Dec 16 '10 at 20:55
  • I also like (and use) StartCom. The Sony Playstation3 web browser is the only browser I've come across that doesn't trust it. – MattBianco Aug 15 '12 at 08:02
  • 2
    Java SE 6.0 doesn't trust StartCom certs too, I haven't checked 7.0 but I don't think anything changed. – Hubert Kario Nov 03 '12 at 10:37
  • 2
    While I like the idea of free SSL certificates, we do need to keep in mind the limitations of these very-cheap validation protocols. They only validate control of the site at the time that the certificate is generated; they do not check with other CAs for previously issued certificates. A MITM attacker can act as your website while generating a new certificate they have a key for because the validator obviously won't use HTTPS to confirm ownership. If the attacker can sit in front of the CA, email and DNS verification can also be subverted. – LateralFractal Oct 22 '13 at 13:19
  • I downvoted because even though this answer offers a practical solution, it answers only a subset of all the justified things OP asked – phil294 Sep 25 '18 at 02:11
11

One of the only reasons you buy SSL certificates (and don't buy rsa/dsa keys) is for the trust relationships.

If you can securely import a self-signed SSL cert into your browser and install the SSL cert on your web server, there is no reason to involve anyone else.

See AviD's comprehensive description of SSL for more information. What SSL provides:

* It encrypts the channel
* It applies integrity checking
* It provides authentication

You can get all 3 of those, if you use self-signed Certs, but you have to securely install the cert on your end-points to get the third feature.

Bradley Kreider
  • 6,182
  • 2
  • 24
  • 36
8

Since recently, it is also possible to get a free cert from Let's Encrypt which is a free, automated, and open CA.

tkit
  • 3,332
  • 6
  • 29
  • 36
7

One thing you'll need to look into is whether you'll be able to have SSL on your shared hosting at all. If you've not got a unique IP address (eg with a VPS plan) then getting SSL working will be tricky.

Traditionally SSL is handled on a per-ip basis not per hostname, so where you have named based virtual hosting (most lower end web hosting plans) it's not possible to assign unique certs to each site. That is possible now with SNI but you'd need to check that your hosting company and browsers support it.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • The problem with SNI is that WinXp and some mobile device browsers don't support it, anyway if OP only wants SSL for its backoffice he should go ahead if the shared hosting provider supports it. – Shadok May 13 '11 at 08:57
4

CACert, as you've mentioned, is good for SSL certificates, and is sometimes a little bit more useful than using self-signed certificates, because there's quite a few people now who do have the CACert CA certificate installed in their browsers, and they're quite big on building up a physical web of trust.

Andy Smith
  • 141
  • 2
3

Shared hosting providers will have to install the certificate for you. Although you can create self-signed certificate, I have no idea if a shared providers will install one. They provide the same level of security, but will cause browsers to show a warning since they're not registered with a certificate authority.

If you have a VPS or a managed VPS, you can install a self-signed cert yourself. You could call your provider, or see if they'll accept a cheaper 3rd party certificate (goDaddy's are like $12).

If you're only using this login for administrative purposes (adding content to a blog or something) and you have SSH access to your provider, you could tunnel over SSH into the host and access the site from localhost, preventing the credentials from being transmitted over the internet.

  • 4
    `They provide the same level of security` this is not accurate. It does provide the same level of protection against *interception*, but thats not the same thing. Specifically, selfsigned certs do not provide *authentication* (in the general case). See my answer [here](http://security.stackexchange.com/q/5/33). – AviD Dec 15 '10 at 19:52
  • 5
    Thats an interesting point about self signed certificates and authentication. However in this case it sounds like pootzko is looking for a cert for his own login, in that case if creates a CA and an self-signed certificate and imports the root into his browser then he has that authentication. I'd agree for most external (Internet) apps that self-signed certs aren't a good option but for internal/personal applications I think they can provide as much as a purchased one. – Rory McCune Dec 15 '10 at 21:39
  • 1
    @Rory, that's true, probably. Thats why I didnt put that as a real answer (or downvote), but I felt the clarification should be in place for the next viewer... – AviD Dec 15 '10 at 22:19