Security FAQ - goofycoder/knowdb GitHub Wiki

Q: Are all SSL certificate same?

A: Nope.

Domain Validation SSL Certificates

Domain validated SSL certificates are used to establish a baseline level of trust with a website and prove that you are visiting the website you think you are visiting. These certificates are issued after the SSL issuer confirms that the domain is valid and is owned by the person who is requesting the certificate. There is no need to submit any company paperwork to obtain a Domain Validation SSL certificate, and these types of SSL certificates can be issued extremely quickly. The disadvantage to these types of certificates is that anyone can get them, and they hold no real weight except to secure communication between your web browser and the web server.

Organization Validation SSL Certificates

An Organization Validation SSL certificate is issued to companies and provides a higher level of security over a Domain Validation SSL certificate. An Organization Validation certificate requires that some company information be verified along with domain and owner information. This type of certificate is recognized by modern browsers and is indicated by a colored bar in the URL portion of the browser. The advantage of this certificate over a Domain Validation certificate is that it not only encrypts data, but it provides a certain level of trust about the company who owns the website.

Extended Validation SSL Certificates

An Extended Validation SSL Certificate is a "top of the line" SSL certificate. Obtaining one requires that a company go through a heavy vetting process, and all details of the company must be verified as authentic and legitimate before the certificate is issued. While this certificate may seem similar to an Organization Validation SSL certificate, the key difference is the level of vetting and verification that is performed on the owner of the domain and the company that is applying for the certificate. Only a company that passes a thorough investigation may use the Extended Validation SSL certificate, which provides users of the company's website with security and reliability.

Q: What's the difference between DSA (Digital Signature Algorithm) & RSA?

Go with RSA.

DSA is faster for signature generation but slower for validation, slower when encrypting but faster when decrypting and security can be considered equivalent compared to an RSA key of equal key length.

The security of the RSA algorithm is based on the fact that factorization of large integers is known to be "difficult", whereas DSA security is based on the ** discrete logarithm problem **.

The fastest known algorithm for factoring large integers is the General Number Field Sieve, also the fastest algorithm to solve the discrete logarithm problem in finite fields modulo a large prime p as specified for DSA.

** $openssl speed **

  • DSA performs faster in generating a signature but much slower when verifying a signature of the same key length. Verification is generally what you want to be faster if you deal with a signed document. The signature is generated once - so it's fine if this takes a bit longer - but the document signature may be verified much more often by end users.
  • Both do support some form of encryption method, RSA out of the box and DSA using an El Gamal. DSA is generally faster in decryption but slower for encryption, with RSA it's the other way round. Again you want decryption to be faster here because one encrypted document might be decrypted many times.
  • In commercial terms, RSA is clearly the winner, commercial RSA certificates are much more widely deployed than DSA certificates.