0

I need an advice. I have created a password generator, which creates strong passwords on local PC (its a Progressive Web App).

But there is one problem: most site visitors are distrustful to the service. Should I buy a brand SSL certificate to get the site more trustworthy or it doesn't matter?

guntbert
  • 1,855
  • 2
  • 18
  • 21
  • 4
    People should distrust the service no matter what certificate you use. See [Is it safe to generate passwords online?](https://security.stackexchange.com/q/17940) – AndrolGenhald Dec 13 '18 at 19:39
  • Are there any organizations that can check the code of the website and issue a certificate of the security check that I could place on my site? – Antony Kidless Dec 13 '18 at 19:51
  • Such a thing would be meaningless. First, I expect you're thinking of those images that say something along the lines of "Certified by company xyz" with a green checkmark, but those offer no security, putting one on your site is as easy as copying and pasting. Second, this "certificate" is in no way tied to the code you serve from your website. You could easily update it at any time, or choose to serve a malicious generator to a subset of users. – AndrolGenhald Dec 13 '18 at 19:55
  • @AndrolGenhald: people here recommend using lastpass, which literally "generates passwords online"... – dandavis Dec 13 '18 at 21:45
  • @dandavis People recommend it as a password manager, and while I can see that [you're correct](https://www.lastpass.com/password-generator) it has a web based password generator I would assume you could use the password manager without generating passwords on a web page like that. While I personally wouldn't recommend it anyway, at least with LastPass you have some name recognition. If you google "password generator" and go to the first site you see you have no idea who is behind it. – AndrolGenhald Dec 13 '18 at 22:03
  • What an SSL certificate does is asserts that the website is the entity they claimed to be (to different degrees depending on the certificate level). SSL certificate does not assert the legitimacy of the entity itself. There are even [illegal torrent pirate sites](https://certsimple.com/blog/are-ev-ssl-certificates-worth-it) that have been able to legitimately obtain EV certificates (the highest verification level). – Lie Ryan May 12 '19 at 23:28
  • In the case of getting higher assurance SSL certificate, that only matters if you already have a business reputation that people already trusts. In this case, an OV/EC certificate Can be used to transfer your users' trust in your business over to the site. If you're running a brand new site without a well trusted business backing that trust, having getting higher verification certificates is worthless. – Lie Ryan May 12 '19 at 23:40

1 Answers1

1

A certificate does not mean trust of a product - malware and phishing sites now use legitimate SSL certificates from Let-Encrypt.

Also as mentioned by AndrolGenhald no one should trust a password generated from an online service for a large number of reasons - First being they don't control the source and cannot guarantee uniqueness or that it hasn't been recorded or served up from a list.

McMatty
  • 3,232
  • 1
  • 8
  • 16
  • And how can I prove the safety of the service? – Antony Kidless Dec 13 '18 at 20:22
  • 1
    @AntonyKidless: you would have to make everything happen on the client. On a program it could be a downloadable binary (along the source code so that you can compile it yourself). For a web app, all would be done in javascript and the application works (and even it is encouraged to do so) when downloaded and running locally (and no internet connection). At that point, you will probably in getting good enough randomness for a password at javascript level, though. – Ángel Dec 13 '18 at 21:42
  • imho, this is misguided. would you trust an app more? at least with the web, you can see the source and any net activity with the built-in debugger, whereas on "real apps", it's a lot more difficult to peek behind the curtain. Trust but verify, and web makes that easy. – dandavis Dec 13 '18 at 21:43
  • @dandavis I could agree with that under certain conditions: It's not minified or obfuscated and is easy to understand, and the user has enough knowledge to know what problems to look for (ie bad PRNG, uneven distribution, etc). Unfortunately I don't think those conditions are satisfied with the vast majority of sites or users. I think a much better reason to trust a password generator is by trusting the developer. – AndrolGenhald Dec 13 '18 at 22:07
  • Thank you so much guys for your replies. As mentioned dandavis above, everyone can check out the source code and any network requests. The site generates password by javascript, locally, on user's browser. So what about a certificate? What should I do? – Antony Kidless Dec 13 '18 at 22:38