-1

I'm building a site that is basically a decentralized amazon.

Basically, each seller hosts a copy of the site, at their own ip address, and accepts (bitcoin) payments using a self-hosted bitcoin wallet(https://github.com/tchoulihan/bitmerchant) that I made for this purpose.

My difficulty is this: I don't want to force every single one of these nodes to buy their own ssl, but I still need the requests to be encrypted. Would self-signed certificates work for this situation?

If they wouldn't work, what options do I have?

Edit: this is for the front-facing site, IE browser ssl.

dessalines
  • 6,352
  • 5
  • 42
  • 59
  • 1
    This kind of question is better asked at security.stackexchange.com. Please also describe more clearly where the secure communication should take place, i.e. is it between your server and their servers or are browsers of customers involved. – Steffen Ullrich Apr 10 '15 at 19:57
  • @SteffenUllrich Its for the front-facing site, IE browsers – dessalines Apr 10 '15 at 20:20
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/), [Information Security Stack Exchange](http://security.stackexchange.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Apr 11 '15 at 21:27
  • @thouliha - you're missing the point. Stack Overflow is a site for programming and development questions. You are a developer and you have a devops question. But the question is not automatically on-topic because you are a developer or the subject is devops. This is a perfect counter example. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Apr 11 '15 at 21:49

2 Answers2

1

I don't want to force every single one of these nodes to buy their own ssl

Why not? StartSSL is at least one provider that offers signed certificates for free...

Any other option that you do is going to be simply trying to reinvent SSL (and poorly at best).

Just use SSL and be done with it.

ircmaxell
  • 163,128
  • 34
  • 264
  • 314
  • I've tried using startssl before, but unfortunately it won't work with straight ip addresses. They require a domain, and you have to have an email account on that domain. – dessalines Apr 10 '15 at 21:52
  • @thouliha [IP Based SSL Certs](http://stackoverflow.com/questions/1095780/are-ssl-certificates-bound-to-the-servers-ip-address) are possible, but rarely used. I would ask why that requirement exists. Heck, if you really wanted to you could get a domain name, and hand out free subdomains to people... – ircmaxell Apr 10 '15 at 22:01
  • This is decentralized, so its going to be a lot of different IP addresses running this thing. – dessalines Apr 10 '15 at 22:02
1

My difficulty is this: I don't want to force every single one of these nodes to buy their own ssl, but I still need the requests to be encrypted.

Join a root program, like [formally called] GeoRoot. These root programs let you become a subordinate CA so you can issue certificates for domains and subdomains that you have administrative control.

Or, point your users to CAcert or StartSSL. Both issue Class 1 end entity certificates for free. Their certificates are trusted in most desktop and mobile browsers. They charge for revocation because that's where the cost lies.

Would self-signed certificates work for this situation?

No. Browsers have moved against self signed certificates.

Related, browsers of full of these subordinate roots issued to organizations. The problem is the CA's usually certify the organizational subordinate without name constraints. The independent 3rd party auditor was removed (the RA), and the complimentary security control (name constraints) was not used. So an organization like yours could issue certificates for any domain, and not just the ones you administer. (The "inmates are running the asylum" comes to mind).

An example of such a CA is GeoTrust. An example of an unconstrained subordinate issued to an organization is Google Internet Authority G2.

A related question on Information Security Stack Exchange: Should name constraints be present on a subordinate CA issued to an organization?

And the IETF's position in the PKIX working group (bad idea): How to handle organizational subordinate CA's when I want to stop the flow of trust?.

And the IETF's position in the DBOUND working group (bad idea): Another use case to consider....

Only the CA's and Browsers think unconstrained subordinate CAs issued to an organization are a good idea.

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885