which certificate self signed or not should i buy

Discussion in 'Mac OS X Server, Xserve, and Networking' started by skov10, Aug 25, 2014.

  1. skov10 macrumors newbie

    Joined:
    Dec 4, 2011
    #1
    Hello
    I will set my server up, so my network users can login to my server, there they have a personal drive to personal documents and a mail adress.
    Which certificate should i buy? or can i use a self signed certificate?
    If anyone can recommend a cheap one, i will be glad.
    Thanks in advance.
    Best regards
    Skov 10
     
  2. talmy macrumors 601

    talmy

    Joined:
    Oct 26, 2009
    Location:
    Oregon
    #2
    The only downside I know of to a self-signed certificate is that users will see a pop-up window warning them about it, and then they have to accept it as valid. Anyway, it works fine for me, and the price is right. :)
     
  3. irnchriz macrumors 65816

    irnchriz

    Joined:
    May 2, 2005
    Location:
    Scotland
    #3
    You can get a basic SSL cert for £16 for a year from Xilo.net in the UK. I believe that they are a comodo reseller. Anyway, it's peanuts to get one and worth it if you want to look professional. If it's just for yourself a self signed cert is fine. If you add it as trusted on your macs then you will not get the pop ups warning you either.
     
  4. theluggage macrumors 68040

    Joined:
    Jul 29, 2011
    #4
    If you've only got a handful of users, *and* you know them (or, more important, they know you) personally *and* they're fairly tech-savvy *and* you're not protecting any really valuable information then maybe you can get away with self-signed, but it looks pretty unprofessional to use them for any serious purpose beyond testing.

    On a practical level, browsers vary in how they react to self-signed certificates. Safari is pretty relaxed about it - it just gives an information alert that you can click through, but Chrome and Firefox do their level best to put users off visiting a self-signed site (the latest version of Chrome is even more paranoid than before).

    As a matter of principle, though, even if someone mounting a spoofing, typosquatting or man-in-the-middle attack against your little server seems unlikely, users who don't really understand the implications should steer clear of self-signed sites, and encouraging them to do otherwise is bad practice.

    (The certificate system is rather imperfect, but its the only user-friendly solution we have - sadly its no use encrypting a message from A to B unless you have some way of verifying that B is really B...)

    There are some places offering free SSL certificates: e.g. https://www.startssl.com - although I haven't used them myself, and you should check that their terms and conditions cover your use.

    The alternative is to install your self-signed certificate on each computer that will be accessing your server (haven't tried this - you'll have to google for how to do it). For maximum security pedant points copy the certificate to each machine using physical media. If you only have a handful of users and you can get physical access yo their machines this might work. However, in the modern environment when every user will want to access your server from their Mac, iPhone, secind iPhone, iPad, iWatch, TV, car and smart fridge it might not be practical.
     
  5. talmy macrumors 601

    talmy

    Joined:
    Oct 26, 2009
    Location:
    Oregon
    #5
    I looked into the free certificates just to see if I should switch from self-signed. It would appear that you can't use them (or any paid certificate) unless the system has a registered, public domain name for the server. The OP didn't mention if he did or not. I know I don't (I have several registered domain names, but they are all outside hosted) so it's self signed for me or else I've got to buy another domain name just to use a (free) certificate.
     
  6. jeremysteele macrumors 6502

    Joined:
    Jul 13, 2011
    #6
    Exactly. They require a valid public domain. Many companies will simply use an existing domain and add on a subdomain to use for their internal server. So for example if they own blabla.com they may add on hq.blabla.com for their internal server.

    Another thing to remember also is browsers are getting insanely annoying about SSL warnings. If users will be accessing it via their browser - you really should get a cheap $9 cert from somewhere like namecheap.

    If its strictly internal - then for most purposes that is the only downside. But man-in-the-middle attacks are oh so easy for self-signed certs... I still wouldn't risk it.
     
  7. jimmyco2008 macrumors regular

    Joined:
    Jan 8, 2014
    #7
    Interestingly enough, MacRumors does not use SSL. When we sign in, our passwords are basically out in the open...
     
  8. jeremysteele macrumors 6502

    Joined:
    Jul 13, 2011
    #8
    Would be hard for them to (supposedly). But they do hash all passwords prior to transmission. So not totally good, but better than "being open".
     

Share This Page