2

I'm building a service that is basically a decentralized Amazon.

Basically, each seller hosts a copy of the site, at their own IP address, and accepts (bitcoin) payments using a self-hosted bitcoin wallet that I made for this purpose.

My difficulty is this: I don't want to force every single one of these nodes to buy their own TLS certificates, but I still need the requests to be encrypted. Would self-signed certificates work for this situation?

If they wouldn't work, what options do I have?

schroeder
  • 123,438
  • 55
  • 284
  • 319
thouliha
  • 123
  • 3
  • You cannot force security on your sellers - each one is going to have to be responsible for their own store. This is why services like Amazon exist: to take care of these infrastructure problems for the vendors. Can I ask why *you* require the requests to be encrypted? – schroeder Apr 10 '15 at 21:32
  • There are password fields, and each seller can receive bitcoins, so I'd of course prefer that to be encrypted. I should also mention that every seller hosts the ENTIRE store, not just their own. – thouliha Apr 10 '15 at 21:50
  • https://letsencrypt.org/ is an option. – Deer Hunter Apr 10 '15 at 21:51
  • @schroeder These websites would definitely need to be encrypted since an attacker could modify pages across an unsecured connection (ex. changing the bitcoin payment address to his/her own) – Aron Foster Apr 10 '15 at 21:51
  • @DeerHunter I'd love to use letsencrypt, but it hasn't launched yet – thouliha Apr 10 '15 at 21:53
  • @AronFoster I completely agree - but the fact remains that secure http connections cannot be *enforced* by the person writing the webpage to be distributed. And, as I point out - it's the *sellers* who would be most interested in the secure connections (due to issues you point out): the developer can only do so much. – schroeder Apr 10 '15 at 21:55
  • @schroeder I should mention that this site is basically a self-contained runnable exe(actually jar) that sets up an embedded web service and website. Totally portable, and installable on any machine. I just have to point to a cert file(or in my case, a java keystore file(.jks)). What would be the best way to go about this? – thouliha Apr 10 '15 at 21:59
  • Are you using a custom client or a regular web browser to access your stores? – thexacre Apr 10 '15 at 23:36
  • @thexacre regular web browsers. – thouliha Apr 10 '15 at 23:37
  • @thouliha what about using subdomains ? this way you only need one certificate. – ifm Apr 11 '15 at 00:50
  • @ifm Don't see how that's possible. There could be a lot of ip addresses hosting it, and adding them as cnames wouldn't be too portable. – thouliha Apr 11 '15 at 00:52
  • @thouliha you can run your own dns server and add an interface for the user to set their subdomains and A registers, this way your users are not forced to buy their own SSL certificate – ifm Apr 11 '15 at 01:13
  • @ifm The cost to that plan is getting a wildcard cert, which is pricey. – schroeder Apr 11 '15 at 03:20
  • @schroeder yes, indeed it is – ifm Apr 11 '15 at 03:34

1 Answers1

3

From your description at this query at stackoverflow I get the information, that all customers will use their browsers to contact these sellers.

When you only use self-signed certificates or use your own CA for the sellers each of these customers must explicitly add an exception (or your CA) to their browser. And of course they should not just trust anybody claiming to be the seller, so they need a way to verify the certificate using an independent way before accepting the exception, like a written letter from you with the certificates fingerprint.

Of course this does not scale. Also lots of customers will probably refrain from using this service, because of all the hassle and the perceived (and maybe real) insecurity.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Is there no way for this to work then? Every seller has to buy their own SSL cert? – thouliha Apr 10 '15 at 21:47
  • Correctly. Every seller has to identify its server by using a trusted certificate. This can either be done by buying a certificate from a CA which is already trusted by the browser or by creating your own certificates. But in the latter case their is no pre-established trust so you have to convince each of your potential customers that they should add the specific seller explicitly as trusted, which is usually not the way to get lots of customers. Compared to these efforts buying a certificate is cheap. – Steffen Ullrich Apr 10 '15 at 22:03
  • I'm not sure if this will work for my case. This is decentrally hosted, meaning many IP addresses are running the site. – thouliha Apr 10 '15 at 23:14
  • 1
    It's not a question of IP but of hostname. If these are all subdomains of a single domain then they could share a wildcard certificate. Of course if these are all independent resellers then they should not share a certificate because they should not share the private key for security reasons. – Steffen Ullrich Apr 11 '15 at 06:50