NotGiven wrote:
> I successfully installed openssl on hosted server. The host company says
> that offers no security or encryption unless I buy a certificate from them
> or a third party like verisign.
>
> If I try to open my site using httpS://, a prompt pops up telling me the
> cert is not certified by anyone and do I want to accept it.

This is standard (and "the" standard) behavior. Ie., do _you_ trust
that this is a legit cert?

> I accept it and there is a locked key in the browser.

And the protocol in the browser's url is https -- note the added "s"
(as in secure) -- so long as you're using ssl/https.

> Is the traffic encrypted (thus the tech is wrong)?

The tech is clueless :-) Try sniffing the traffic with ethereal.

> It is interesting in that the hosting company's login has the SAME prompt
> when logging in.

Anyone can generate a certificate with whatever location, etc. info
they please. The purpose of a "trusted" third party is to _verify_
that the certificate "owner" is who they say they are and that they are
relatively trustworthy (ie., sufficient score on credit report and/or
authorized to request certificate verification on behalf of the
organization).

For your own use (or a relatively small number of people) there is no
reason to obtain some
"seal of approval" from a third party. In fact, you might be surprised
how many organiztions have not renewed their expired certs.

hth,
prg

"prg" wrote in message
news:1135032922.921937.36430@z14g2000cwz.googlegro ups.com...
>
> NotGiven wrote:
>> I successfully installed openssl on hosted server. The host company says
>> that offers no security or encryption unless I buy a certificate from
>> them
>> or a third party like verisign.
>>
>> If I try to open my site using httpS://, a prompt pops up telling me the
>> cert is not certified by anyone and do I want to accept it.
>
> This is standard (and "the" standard) behavior. Ie., do _you_ trust
> that this is a legit cert?
>
>> I accept it and there is a locked key in the browser.
>
> And the protocol in the browser's url is https -- note the added "s"
> (as in secure) -- so long as you're using ssl/https.
>
>> Is the traffic encrypted (thus the tech is wrong)?
>
> The tech is clueless :-) Try sniffing the traffic with ethereal.
>
>> It is interesting in that the hosting company's login has the SAME prompt
>> when logging in.
>
> Anyone can generate a certificate with whatever location, etc. info
> they please. The purpose of a "trusted" third party is to _verify_
> that the certificate "owner" is who they say they are and that they are
> relatively trustworthy (ie., sufficient score on credit report and/or
> authorized to request certificate verification on behalf of the
> organization).
>
> For your own use (or a relatively small number of people) there is no
> reason to obtain some
> "seal of approval" from a third party. In fact, you might be surprised
> how many organiztions have not renewed their expired certs.
>
> hth,
> prg


Thanks!