Forum Moderators: phranque
I was under the impression that I wouldn't need to have an SSL/HTTPS certificate because I wouldn't be handling the credit cards - Paypal would do all that. However, I went over to the paypaldev forum it looked like most people use OpenSSL or something like a Thawte certificate. I asked them why, for a site that only accepts Paypal, an SSL would be necessary - but I can't seem to get any answers. I don't use a shopping cart or accept credit cards directly.
Can somebody tell me the basic difference between OpenSSL and something like a Thawte certificate? Which, if any, do I need for my Paypal subscription using their IPN to update my database?
difference between OpenSSL and something like a Thawte certificate?
OpenSSL implements the SSL/TLS protocol. It does the encryption of the data stream and otherwise handles secure transmission. OpneSSL is *not* a Certificate Authority like Thawte and Verisign, it is a piece of software. With it, you can generate a self-signed certificate, but for the full deal, you would still need to deal with someone like Thawte.
Thawte is a certificate authority. They provide the assurance that you are who you say you are. In other words, as a user, if you have a self-signed certificate, I know that a snooper is not reading my data as it goes back and forth, but I don't know who is receiving my data at the other end. Thawte verifies that www.citibank.com belongs to CitiBank corporation and that the site is using a certificate that is registered to that company for use on that domain.
Tom
