After studying and testing out mod_rewrite in an .htaccess file, I have come up with a strange SSL solution.

I made a self-signed certificate on my shared hosting site. My host also has a shared SSL that I can use. Using mod_rewrite, I figured out how to call the shared SSL page, yet have my self-signed SSL page come up.

The strange thing is that my SSL page comes up with http instead of https, but it has the padlock, and no macro warning (I was wrong earlier about canceling the warning with javascript. I didn't realize it was a macro warning).

The other thing is that on MSIE, the location bars shows my SSL's location, but unfortunately in Netscape it shows my host's location. So, I still haven't perfected it, or don't even know if it's possible, since most mod_rewrite commands can't be used by a user, but it's a start.

Do you think most people will trust an SSL page that has a padlock but starts with http?

Do most people check certificate info? If they see something like Comico, issued by Comico, do you think that bothers them?

FWIW, I'm not trying to scam anyone. I just want a certificate, and don't want to pay for one. I could care less about checking out identities (though my customers may feel differently); I just want encrypted info with a padlock.

Your browser is broken if it's showing a pad lock. However, I assume it's showing it from the shared SSL you're using before you use the rewrite rules, which is why the pad lock is there. If you're not using https, then it's not secure and it's going to fail to serve it's purpose (prompting them or not). Short of tricking people's browsers into thinking it's a valid certificate from a vendor, you can't get around it to not prompt them via a genuine SSL connection. You're just using a shared certificate to call to or use an invalid or non-functional certificate/area, by the sound of it.

cool chrisb :dgrin::agree:

sounds like this leading to a security exploit :D

Originally posted by modihost
cool chrisb :dgrin::agree:

sounds like thiis leading to a security exploit :D

You think so?

well - if you can fool a web browser into using SSL without https:// in the URL - i am sure there are some rather creative ways to use this

chrisb:

Can you post what version browsers you tested this in? Netscape 7.0 & IE 6.0?


Also can you post some sample URLS. i wanna see this in action :dgrin:

Originally posted by modihost
well - if you can fool a web browser into using SSL without https:// in the URL - i am sure there are some rather creative ways to use this

But he didn't fool the browser. He used the shared SSL for access, which was using a rewrite rule to use a non-vendor certificate.

chrisb

Can you please post that .htaccess?

now maybe i dont have to buy my own SSL cert lol :cool:

Originally posted by modihost
chrisb

Can you please post that .htaccess?

now maybe i dont have to buy my own SSL cert lol :cool:

You're misunderstanding what he did and said and how this is working. He didn't create a way for people to get around being prompted, he didn't create a valid or real certificate that would function like one from a vendor without people adding it manually with warnings and prompts. He simply used the real (shared) certificate that does work to access a page which used rewrite rules to point to another place. It didn't have SSL on it other than from the shared SSL certificate he ran through.

He could have used the rewrite rules ot point to any non-SSL web site or area and it would have done the same thing. If you have a shared SSL area, and you're using that anyway, how would it help or matter to use your own behind it, even if you could? If you've got to run through the shared SSL for it to work right, why would you use that to try and get out of using your own? You are already bypassing the need for your own by using the shared certificte. If you have to use the shared certificate to use your own or none, which doesn't make any sense, than you'll have to use the shared one anyway, which is what you're doing, which means that you're not needing to do anything else.

This isn't a security issue, this isn't a way to have a free certificate, other than it's already there and it's already free (being that it's shared). I hope that better explains it and how it is working (nor not working), so you don't get your hopes up. :-)

you must excuse me, i like to poke at things like this. :stickout

i think most average people dont even look for the padlock and dont care. But if your trying to sell to web masters - i am sure they would check. if i saw a SSL url that had http:// i would be trying to figure out how they fooled my web browser into thininking it was a secure page :eek:

Originally posted by modihost
i think most average people dont even look for the padlock and dont care. But if your trying to sell to web masters - i am sure they would check. if i saw a SSL url that had http:// i would be trying to figure out how they fooled my web browser into thininking it was a secure page :eek:

The problem is, it won't unless you're running through SSL at some point. You'd be better off just using http and not SSL anywhere if you wanted to fool people that wouldn't notice. There is not valid lock or SSL without https.

Hi Robert,
Never say it cannot be done because some people like myself are inspired by that to prove you wrong. :) Unless you have studied and tested this within an .htaccess file as extensively as I have, then you may just be surprised. I have studied mod_rewrite intensively, and done many tests in the last few days; and have successfully tested this in a sub-directory to prevent possibly damaging my main directory.

I'm using this method because I would prefer that something akin to https://mydomain.com/order.html show in the location bar with a padlock rather than something like https://server25.jchost.com/~username/order.html.
It makes sense to me. :)

I don't think my browser is broken, and the end result does show my page http://mydomain.com/order.html with a padlock, and NO macro warning. I'm still working on changing that part to https.

The page that the user ends up at, uses my self-signed certificate. I only use the shared shared SSL location within the .htaccess file in my mod_rewrite rules, as sort of a launching pad to change the location or URL. If a user were to click to view the certificate, it has my certificate information. NOTE: I am not using the shared ssl and faking the location. I am using my own self-signed certificate.

Maybe I didn't explain it well enough, so here's how I did it.
1. Create a test ssl page, such as "order.html".
2. Creat a test ssl directory, such as "myssl".
3. Now, make sure you have one copy of "order.html" in the "myssl" directory, and one copy of it in your main directory.
4. Make an .htaccess file within your "myssl" directory.
5. Within that .htaccess file, use mod_rewrite to rewrite order.html in that directory to go to order.html in the main directory.
6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.

I will post the code later when I have it perfected. :) I'm considering using Apache's setEnv, instead of using mod_rewrite to reset them. There's also further manipulation possible by using a cgi script in conjunction with mod_rewrite.

I'm using order.html now for testing purposes only; and that will probably change to order.cgi Also, I'm using the latest IE6 browser.

Hi modihost. Thanks for your support. I welcome any help and encouragement on this, as it is very time-consuming.

Originally posted by chrisb
Hi Robert,
Never say it cannot be done because some people like myself are inspired by that to prove you wrong. :)


It can't be done.


Unless you have studied and tested this within an .htaccess file as extensively as I have, then you may just be surprised.


What do you think an .htaccess file has to do with this? You can add a lot of directives for a lot of modules in an .htaccess file, sure and things can be done. I don't know what you mean by "testing things within an .htaccess file extensively". That depends on what modules you are putting directives in for.


I have studied mod_rewrite intensively,


I'm quite familiar with the rewrite module. So are we talking about the rewrite module or directives for modules?


and done many tests in the last few days; and have successfully tested this in a sub-directory to prevent possibly damaging my main directory.


What do you think rewrite directives can possibly do to "damane your main directoty"?


I'm using this method because I would prefer that something akin to https://mydomain.com/order.html show in the location bar with a padlock rather than something like server25.jchost.com/~username/order.html.
It makes sense to me. :)


That makes perfect sense and what you're trying to do, won't work.


I don't think my browser is broken,


I don't either. It's showing the padlock because you're running through the shared certificate.


and the end result does show my page with a padlock, no macro warning, and my location with an http (I'm still working on changing that part to https).


It's because you're running through the shared certificate.


It also shows http://mydomain.com/order.html in the location bar.


I can guess what you're doing. You're trying to make it so any access to that directory or a specific file even, has a rewrite rule to call to the share certificate's secure area. The flaw in this logic, is that your data isn't encrypted until the data is redirected, so it's always passed non-encrypted. The other problem, is that you can't use an SSL protocol on a non-SSL page, and rewrite rules won't solve that problem.


The page the user ends up at used my self-signed certificate. I only use the shared shared SSL location within the .htaccess file in my mod_rewrite rules as sort of a launching pad to change the location or URL.


If you don't uise the shared certificate, than any access will prompt the user or fail to work.


If you click on view the certificate, it has my certificate information. NOTE: I am not using the shared ssl and faking the location. I am using my own self-signed certificate.


Okay, but you perhaps understand how this will not overcome the certificate warnings once you are truly using the SSL certificate then.


Maybe I didn't explain it well enough, so here's how I did it.
1. Create a test ssl page, such as "order.html".
2. Creat a test ssl directory, such as "myssl".
3. Now, make sure you have one copy of "order.html" in the "myssl" directory, and one copy of it in your main directory.
4. Make an .htaccess file within your "myssl" directory.
5. Within that .htaccess file, use mod_rewrite to rewrite order.html in that directory to go to order.html in the main directory.
6. Now, when someone clicks on or goes to https://server25.jchost.com/~username/order.html, the location bar will actually say http://yourdomain.com/order.html, without any warning, and a padlock.


So you're trying to do cloaking. This won't work right still, unless it's a vendor certificate, unless people don't mind wanrings or errors.


I will post the code later when I have it perfected. :) I'm considering using Apache's setEnv, instead of using mod_rewrite to reset them. There's also further manipulation possible by using a cgi script in conjunction with mod_rewrite.

I'm using order.html now for testing purposes only; and that will probably change to order.cgi Also, I'm using the latest IE6 browser.

Hi modihost. Thanks for your support. I welcome any help and encouragement on this, as it is very time-consuming.

Feel free to have fun and definitely enjoy yourself. Sounds interesting, but I'm just telling you that this method will not be able to work. That's now how SSL works and it won't work with that method, not without warnings or flaws, or not without some point of the data being passed in non-encrypted form.

Robert, what I meant was that unless you've tested mod_rewrite extensively within an .htaccess file, there are some things you may not know. IOW, if you've only used mod_rewrite as a superuser, then you haven't had much experience using mod_rewrite within an .htaccess file. That's all I was saying.

Concerning your statement, "it will not work". You are wrong. It will work. I've tested it, and it does work. It does exactly as I stated.
How can you be so arrogant as to make a statement like "it will not work" when you haven't even seen my code or tested it yourself?

Note: Robert posted while I was editing. Number 6 should read
6. Now, when someone clicks on, or goes to http://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.

Couldn't you make a frames page with 1 frame 0% high and another frame 100% high? That'd be much better, but the only thing would be it'd still show http:// instead of https:// in the address bar. :(

Originally posted by chrisb
Robert, what I meant was that unless you've tested mod_rewrite extensively within an .htaccess file, there are some things you may not know. IOW, if you've only used mod_rewrite as a superuser, then you haven't had much experience using mod_rewrite within an .htaccess file. That's all I was saying.


I realize this, and I simply stated I am well aware, due to the fact that you seemed to say that it's very possible if people had better knowledge or rewrite rules (the .htaccess file is just a control file, it can do a lot of a little) and that I'm aware of all the things it can offer in the way of directives, and depending upon the module it might work with as well.


Concerning your statement, "it will not work". You are wrong.


No, I'm not. It won't work. Not to the extent of what you claim your goal is.


It will work. I've tested it, and it does work. It does exactly as I stated.


No it doesn't. You stated that running via a shared SSL certificate and having a rewrite rule for a non-SSL protocol will show the lock in effect and that it will not prompt for errors. And why would it? You can do this with anything. For you to use the self signed certificate only and rewrite rules, it will not work via an SSL, encrypted protocol. You can't tell me that that itself works. What you've done thus far works, even if it's not encrypted, but it's not working in the manner which you said is your goal. The limitations of the manner in which you are trying to use to accomplish you goal, will _not_ work.


How can you be so arrogant as to make a statement like "it will not work" when you haven't even seen my code or tested it yourself?

How can you assume it's arrorgance that makes you tell you it won't work? I don't need to see the directives and syntax of your .htaccess file to knwo that this method will not work. Try not to take my advice so personally or assume it's just me mindlessly saying it won't work to sound like I know things I don't. I am very aware of how these things work and this method you are wishing to do will not function how you want. If it doesn't error, fine, but it's also not using SSL.

There is a large difference between what you're doing now and what you say you want to ultimately do. I'm not saying any of this to belittle you, sound smarter or more knowledge, or to take a swipe at your mission. I'm sure you're having fun with it, and that's great, but try not to assume so cynically because I do happen to know that this method will not work. Perhaps I'm not explaining myself well enough, but you'll find out soon enough, unless you do end up thinking it's working and you are actually passing the data without really using SSL (which would defeat the purpose).

Originally posted by chrisb
Note: Robert posted while I was editing. Number 6 should read
6. Now, when someone clicks on, or goes to http://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.

I believe you, but that has no bearing on SSL.

Robert, I know that .htaccess is just a control file. What I meant was that there are different workarounds you have to do when using mod_rewrite within an .htaccess file that you don't have to do when you have root access and can use rewriteMap, etc.

Again, it does_work. It shows a padlock, and no warning. Yes, I'd like for it to do more, but it works.

No, I'm not worried about you trying to sound smarter. When someone makes a dogmatic statement "it will not work" and has not tested it, to me that is not smarter. :)

Robert, you pick out my little mistakes... Number 6 should have read...
6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.

Originally posted by chrisb

...

When someone makes a dogmatic statement "it will not work" and has not tested it, to me that is not smarter. :) [/B]

Unless, of course, it won't work. But you're free to dislike me or assume what you like because you think it will.

Originally posted by chrisb
Robert, you pick out my little mistakes... Number 6 should have read...
6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.

Okay, just calm down. For goodness sakes, I'm not attacking you! Your post ABOVE (YOUR EDIT) said:

"Note: Robert posted while I was editing. Number 6 should read
6. Now, when someone clicks on, or goes to http://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock."

You REPEATED yourself NOT mentioning the https URL! I wasn't "picking out little mistakes" of yours. You clearly didn't make it clear until this THIRD time. Just take your time to read what's being said and you won't assume so much. I didn't assume anything, I responded to what you said. what's all I've got to go on. It's astounding that you want to make a comment that my attitude is "arrogant" given these facts and you're refusal to accept that I might be right and know what I'm talking about. Check what you said, what you're doing and understand what I said.

Consider if for a moment, of why it won't work. Either you're not being clear about any of this and are talking about something completely different and trivial, or you are missing something in the process and it's not goign to actually encrypt the data. If there's no getting through to you and you're going to assume things and get offended because I am trying to explain why and how it won't work, just tell me now and I'll not waste my time trying to talk to a brick wall.

Originally posted by chrisb
Robert, you pick out my little mistakes... Number 6 should have read...
6. Now, when someone clicks on, or goes to https://mydomain.com/myssl/order.html, the location bar will actually read http://yourdomain.com/order.html, without any warning, and a padlock.

And are you calling to or using the shared cettificate in any way in this process? Are you saying that with rewrite rules, you can able to strictly use a self-signed certificate for your https://domainname/path and not any shared vendor certifcate anywhere in the process, and access that SSL area without any prompt or warnings, by simply using rewrite rules, yet it genuinely uses SSL to encrypt the data and it works just like any other vendor certificate? Maybe your browser _is_ broken? :-)

Yes, it works, and it encrypts the data. Thus, the SSL page with a certificate that you can click on. What is arrogant is that you insist something doesn't work when you haven't even tried it. I've tried it, and I know that it works. What part of "it_works" don't you understand?

I really dislike the attitude of people like you. You are the type of people that stifle development, because you are never wrong, even when you are.

For someone to say that something doesn't work in a server environment, considering all the bugs out there, is just plain ignorance; especially when someone else has tested it and found that it does work.

Originally posted by chrisb
Yes, it works, and it encrypts the data.


But it's actually using a non SSL area. It can't.


Thus, the SSL page with a certificate that you can click on.


Except it's no longer SSL.


What is arrogant is that you insist something doesn't work when you haven't even tried it.


What is the arrogant nature of your attitude to tell me what I can or can not know? Why don't you give us all the URL to try then, huh? After all, it works, right? Keep your rewrite rules to yourself, prove it works!


I've tried it, and I know that it works. What part of "it_works" don't you understand?


If you want to continue to be hostile, so be it. That's no way to learn anything. You've shown throughout your posting history on this board that you are new, have been asking basic questions and don't really know very much. There's no crime in that, but it seems when you don't like an answer from someone that has the knowledge or experience, that you'd prefer to blow up and be a brat. Why bother asking if you're going to loose your head if you don't like the answer? You example shows that it doesn't work, it's not doing what you think, OR you are talking about something else and not being clear. That's "okay", because you don't have experience to know perhaps the right terms or example, but to bite my head off because your ego has been challenged, just doesn't make any sense for you to seek advice in the first place.


I really dislike the attitude of people like you.


Well, people usually don't when someone doesn't agree with them. The fact that you can act like an adult and not start spouting off inaccuracies and insults without being provoked would be more admirable though.


You are the type of people that stifle development, because you are never wrong, even when you are.


You're acting silly. Get a grip already! I've been developing new solutions and applications for web servers for near 10 years. I don't think that my experienced advice telling you this is a flawed method is stifling. Obviously that's why you blew up. You thought you found some new idea to get around something and were what you thought was "close", and when I told you you're not, you couldn't accept it. Rather than screaming I'm an arrogant, development stifling 'meanie', why don't you just listen to what I'm saying?


For someone to say that something doesn't work in a server environment, considering all the bugs out there, is just plain ignorance;


No, it's called knowledge, when you *know* it won't work. Just because you don't know, doesn't make you right. Consider this; You've gone from calling me arrogant, to ignorant, because I know something you don't yet know. I don't expect you to admit or realize this. You might be more willing to accept that when it fails to work how you think it does (or will). But for now, why the attitude? And worse, why shoot the messenger? Don't you have a URL to prove this? Well, come on.


especially when someone else has tested it and found that it does work.

Yes, you've said this, even though right above you said that it doesn't work yet the way you want. The reason for that, is because it's _not_ working how you _think_ is is (or will). It's not going to work. Again, perhaps I'm not explaining myself well enough, but that's not excuse for you to make such remarks and act the way you are. After all, if what you say is true, than why don't you just provide a URL to prove it? Or, alternatively, we can argue back and forth all day, even though you can apparently just show us all and make me shut up.

NEVER EVER EVER EVER say it cant be done.


If a human made it - a human can break it.

Ive also been looking into ways of fooling a web browser for cookies... because mydomain.com sets the cookie but my order form in under another domain because of the shared SSL. :o

Originally posted by modihost
NEVER EVER EVER EVER say it cant be done. See i was right from the beginning :D

How were you right, exactly? I understand the attitude of :never say it can't be done, anything's possible", but knowing the limitations of something, you can safely say that some things are not. For example, I can't turn water into wine. I can't jump a mile into the sky. I can't just say something and make it true by saying it. I can't put a million high traffic web sites on a system with a 33 mhz CPU and 2 megs of RAM and have it serve up web pages well.

You can indeed, safely say "it can't be done" if you know that it can't. Yes, sometimes people "think" it can't and they are wrong, but there's no reason to get nasty with people that are right. I don't mind being wrong, but I don't appreciate mindless claims and insults telling me I am for no other reason than a fragile ego. I'm still waiting for a URL before I see someone say "I told you so", how about you?

as far as the internet - software, anything is possible..


2host.com


you type really fast :)

i dont understand a whole lot about SSL certs but there must be a way to generate your own Cert and a user not get a warning.


They cost too much, the cost as much as they do only because people will pay for them at that price..

nobody is flaming anyone - at least im not.

Think about it - there could be countless ways to fool a web browser into using a shared SSL cert and not get warnings ect ect. there just *has* to be a way to accomplish it. i dont think you can safely say that its not possible

Originally posted by modihost
as far as the internet - software, anything is possible..


Well, not really anything is possible. After all, that goes into the same realm as saying that "any system connected to the Internet can be cracked". Even if a lot can and are, and some ways can be found, depending on how the system is configured, it isn't impossible to have a secure system. That might include extremes like having no web server, shell, FTP, email, etc. but it can still be hooked up and you can still access sites from it and not have any risk of being compromised. Alternatively, provided there's no remote exploits in SSH, FTP, email, the web server, etc., that too would be true. Now we know that to be unlikely, yet some things like Qmail have yet to be exploited after many years of people trying. That doesn't mean it can't be, eventually.

If this SSL idea worked, than it would simply be due to a misconfigurations or some such thing that no common web servers I'm aware of would be susceptible to. However, the limitations and the way the web server works, are not the only issue at hand, it's also how the interaction is done, if it's encrypted, and finally, the client's browser accepting an invalid certificate. So, you'd have to have a lot of flaws in a lot of aspects and that's possible as well, but it won't work unless something breaks.

So, to be fair to "chrisb", I suppose it's possible, but only if things aren't working right. I thought we were speaking in terms of a solution, not an exploit. Even so, this is unlikely. Also, the other end wouldn't work with it in the way you'd need (not in SSL, not genuinely encrypted). I think maybe at some point in his testing, he mistakenly press the "trust this certificate" "Ok" button. :-) So, while there might be a method to exploit a lot of features, it would not pose a risk due to the prevention from aspects of other elements. Again, not explaining myself well, I guess. Nonetheless. Anyway, I'm just waiting for a URL.


2host.com

you type really fast :)

But not fast enough. :-)

Originally posted by modihost
nobody is flaming anyone - at least im not.

Think about it - there could be countless ways to fool a web browser into using a shared SSL cert and not get warnings ect ect. there just *has* to be a way to accomplish it. i dont think you can safely say that its not possible

I don't think you're flaming anyone either. You've been level headed and civil. I can appreciate that. There are actually ways to alter certificates to fool a browser into thinking it's from a vendor, I stated this in my original response (but I guess I didn't clarify at that time enough).

However, this (what I thought we were talking about), was a solution to get around needing a certificate from a vendor, to avoid prompts and have it work for real, not fool the browser. If that's what you were going to do, then you'd not need any of the rewrite rules or try and trick anything like that, you'd just modify the certificate. I imagine that would be a daunting task to modify and have it work and fool all browsers, and *that* would be possible.


Just to prove what I said (that I mentioned above about tricking the browser, you can refer to my first post in this thread (unedited)):

"Your browser is broken if it's showing a pad lock. However, I assume it's showing it from the shared SSL you're using before you use the rewrite rules, which is why the pad lock is there. If you're not using https, then it's not secure and it's going to fail to serve it's purpose (prompting them or not). Short of tricking people's browsers into thinking it's a valid certificate from a vendor, you can't get around it to not prompt them via a genuine SSL connection. You're just using a shared certificate to call to or use an invalid or non-functional certificate/area, by the sound of it."

I don't see anything changing from that post. And I don't see him making any mention of tricking the browser. He needs to be more clear and maybe all this animosity will cease, as he seems to indicate he can do this all on the server side. We discussed the rest (sort of), so I'm just waiting for a URL that he says 'works'. Rather than argue, he should show us in that case. :-)

making a frameset http://www.yourhost.com/order/

with one frame and it being a SSL URL makes the browser warn you.. You dont want that at all. that will scare off customers :bawling:

stop arguing and use freessl.com :D

i need more info how *HOW* SSL Certs generally work. i know you can generate them with openssl.

freessl.com? :)

checking it out now

Originally posted by modihost
i need more info how *HOW* SSL Certs generally work. i know you can generate them with openssl.

Yes, you can generate your own, but since they aren't from a trusted vendor, visitor's browsers will be prompted of that fact.

Originally posted by cybotix
stop arguing and use freessl.com :D


lol Now we're talking!

Is freessl really free? It is Geotrust.

Robert, I was hoping for helpful input, but all you want to do is argue, so just forget it. I know it works for me, and that's all I need to know. JFYI, I did not click on the warning to accept it.

Modihost, you can go to your shell, and use openssl commands to create your own certificate. See the docs at http://modssl.org or if that site is down, as it often is, just search for "installing self-signed certificate" on Google. There are many sites about it; redhat even has info on it. If you use shared hosting, you'll probably just want to create your RSA keys and certificate, but let your host do the installation. I'd suggest you leave out the passphrase. Be sure to sign it with "Verisign" to alleviate the warning... LOL

Originally posted by chrisb
Is freessl really free? It is Geotrust. yeah it's free, u get an 1 year cert, dunno if they start charging after that. its ubiquity isn't as good as thawte/vernisign, obviously.

Originally posted by chrisb

...

Robert, I was hoping for helpful input,


I offered you helpful input, you just got mad that I said it wouldn't work. If it works, why were you asking? Speaking of, where's that URL for that working site? After all this and you still can't just provide it? You're sitting there calling me a liar, discrediting my knowledge and calling me arrogant and ignorant for letting you know what I know and that it won't work, as you asked for that help, and you instead get angry, call me names and claim it works. Well, then let's see it! URL???????????


but all you want to do is argue,


Correction, I did no such thing. I offered you reasons why it would fail. That is not arguing. You, my friend, were the person that was arguing with me about what I said. Where's the URL???


so just forget it.


Forget what? You said it worked, let's see it. Prove I'm ignorant and don't know what I'm talking about. After all, you said it, why not prove it with a simple URL? Where's the URL????


I know it works for me,


I don't believe you. You won't give out a URL to prove this and your attitude suggests otherwise. No wonder you were so defensive. Don't say you did something if you can't do it. Where's the URL?


and that's all I need to know.


Then why did you post about it and sit here telling me I'm wrong and try and argue with me, and even still sit here insulting me? Where's the URL?


JFYI, I did not click on the warning to accept it.


Sure you didn't. Where's the URL? You come in here to convey your ego on me, why waste everyone's time? I'm fed up with this. After all, I offered reasons, suggestions, advice and facts. Simply because you didn't want to hear you were wrong, is no reason to treat me like you did. What are you so afraid of admitting? Do I threaten your ego? Why don't you show me the URL and show me how wrong I am? I think we both know why, I don't know who you're trying to kid. If you want to try and show off about something you don't have knowledge about, choose something that other people on the same forum won't either, so you can spare yourself from arguing with them. I tried to offer reasons and you prefer this. Senseless... just senseless!

its all good. i just got a SSL Cert for 1 year for free!

www.freessl.com :)


now i can use my cookie tracking system i made because my order form is on other domain name because of the shared SSL. but the cookie is set by other domain. YAY my own SSL.

/me is happy


just too broke right now to have to buy an SSL cert

I told how I did it, except for the specific rewrite rules that I used. I will not post my URL, but I was going to post my rewrite rules that I used in my .htaccess file, but after your insults, I changed my mind. Why bother? According to you, you already know it cannot be done; and if I showed you that you were wrong, you wouldn't admit it.

Modihost: Yeah, I imagine that someone knows how to kill a macro warning too; but I don't. If someone can put something into your PC when you click on a URL, then I'm sure it's possible that someone can send something to kill a macro warning.

BTW, a self-signed certificate is not usually called a non-vendor certificate. When you sign it, YOU are the vendor. It's just not one of the trusted signers (CA's) that are already in the browser. It's also not invalid certificate. The certificate is just as valid as one you pay for. The only difference is that no company checked out your business identity, and you had to spend money for it; but it is still an encrypted certificate.

I don't want to take the time to refute all of Robert's comments; but his comment about several things must break in order for this or that to be done is simply not true. I'm sure others know that logically only one thing has to break in order to break other things. For example, one thing can break in an automobile, and cause many other things to fail.

Modihost, glad you got a free one, but I'd rather go another route. I use MSNTV sometimes, and Geotrust won't work with that browser.

http://www.redhat.com/docs/manuals/linux/RHL-7-Manual/ref-guide/ch-securing.html

Self-signed certificates will not be automatically accepted by a user's browser — the user will be asked by the browser if they want to accept the certificate and create the secure connection

Any docs you can point me to?

Oops, I didn't see all of your post/ I'll post back, modihost.

thats what i was asking for any URLS or anything you could point me to, so i can sign a cert "Geotrust" or something or other

Originally posted by chrisb
I told how I did it, except for the specific rewrite rules that I used.


You said what you did, you didn't offer anything technical, and I didn't ask how you did it.


I will not post my URL,


I know you won't, because you'd just show exactly that you weren't able to do it.


but I was going to post my rewrite rules that I used in my .htaccess file,


I don't believe you. If you did that, people would try and see it doesn't work.


but after your insults,


You mean after I responded to YOUR insults.


I changed my mind.


Like you ever were. What do you expect when you insult and claim things about me, when all you have to do, is provide a URL and prove it.


Why bother?


Why, indeed!? You'd make a fool of yourself for making a big deal and dismissing everything I said to give you reasons why it wouldn't work.


According to you, you already know it cannot be done;


Yes, that's very true. Rather than beating around the bush and evading facing the facts, how about you either "put up, or shut up"? If you're going to say someone's wrong, are a liar, don't know what they are talking about, are just being stubborn and arrogant and how something is true, why don't you prove it? I don't really care what you prove or not, because I know the answer, but you posted in response to so many posts of mine saying I'm an arrogant, ignorant person. So, why don't you show us!? Because you can't, because you don't know what you're talking about. That too, is fine, until you insult people and make such claims.


and if I showed you that you were wrong, you wouldn't admit it.


How could I deny it? Stop trying to make excuses for not showing this URL or the rewrite rules for that matter then. Obviously it's not true.


BTW, a self-signed certificate is not usually called a non-vendor certificate. When you sign it, YOU are the vendor.


No you're not! A "vendor" sells the certificates. An SSL certificate vendor sells "trusted and recognized certificates".


It's just not one of the trusted signers (CA's) that are already in the browser.


It's made for that purpose, which is what you pay for!


It's also not invalid certificate.


It works and serves the same functions, yes. But it's not valid if it's not trusted.


The certificate is just as valid as one you pay for.


Not it's not. One you pay for is set up right, will warn people if the IP changes, etc. You can't know that with a non-trusted certificate.


The only difference is that no company checked out your business identity,


You have no idea what you're talking about. A trusted certificate doesn't mean that *anyone* verified your "business identity".


and you had to spend money for it; but it is still an encrypted certificate.


It provides an encrypted data transfer just the same, yes. Everything else will provide warnings or errors and you can't be certain it's pointing to the right site because of how someone generated it.


I don't want to take the time to refute all of Robert's comments;


If you can't fess up to what you claim, than don't claim it. This is obviously another area you fail to understand. For someone with knowledge to explain why it won't work and for you to viciously attack them, yet you can't prove what you claim. Why not a URL? Because it's NOT true!


but his comment about several things must break in order for this or that to be done is simply not true.


Yes it is. I explained why. Prove me wrong.


I'm sure others know that logically only one thing has to break in order to break other things.


Untrue. The web server has no bearing on the client's browser. You have to trick or exploit both of those things. You have shown throughout your posts here that you know nothing of security, CGI, CGI wrappers, permissions, or anything else. Looking at your posting history at this board from day one. Suddenly, because you are throwing a tantrum because I told you your little claim was not going to work, you know more about this field than I do? Is this new to see online when some kid gets mad because he didn't get his way and made himself look foolish? No, it's not. I didn't come in here to mock you or make fun of you. I didn't come here to argue either. I came in posting reasons and explanations to show that your idea will not work. Fine if you're embarrassed, but I did nothing to you and look how you act.


For example, one thing can break in an automobile, and cause many other things to fail.

Having something on your car fail, has no bearing on the news camera that's filming you from a distance. How grossly incompetent!

:argue:

Is this what you need?
http://slwww.epfl.ch/SIC/SL/CA/

or do you need info on how to create a certificate?

Originally posted by modihost
:argue:

Sorry for the show, but one thing I can not stand, at all, is someone with no knowledge going out of their way to make remarks and claims to say that I don't know what I'm talking about, all because they don't want to hear that their idea won't work. If he wants to prove it does, he can, but since it doesn't exist, he'll just continue making these claims to try and evade the very topic he brought up and argued about.

encryption scares me :bawling:

And one thing I can't stand is someone making insults and assuming that I have no knowledge when I've worked on computer hardware/software for over 30 years. I have nothing to prove to you. Go argue with yourself.

Originally posted by chrisb
And one thing I can't stand is someone making insults


I got fed up with you are you're acting like a clueless person. You should read the order of events, and see how you acted. You were the person that was passing out insults and being irrational.


and assuming that I have no knowledge


You obviously don't have any knowledge. I've personally answered a few of your very basic questions in the technical support forum about things that anyone with your arrogant claims should have known years ago. Again, I hold nothing against people for not knowing, but for them to not know anything and come down on me like you did, because you can't accept me showing you why this idea of yours won't work, is ludicrous. Yet you STILL make these claims. Your excuses probably seem logical to you to save face, but anyone that has any clue can see right through it.


when I've worked on computer hardware


What the heck does hardware have anything to do with this topic? I don't even beleve you anyway. Typical cop-out "I've been doing 'computers for 30 years!". 'Doing computers'?? Really?


/software for over 30 years.


What a crock! You were asking incredibly basic things, you'd not have been asking if that was true. But I suppose you mean "I've been using accounting software for 30 years". So what? Computers are systems that use hardware to run software. That doesn't mean you have any idea about web hosting or web servers. Your questions archived throughout this web forum alone show that you've got no idea! Again, I don't care, until you came in and lie about things and claim that I don't know something I definitely do! You got yourself into this mess, deal with it or admit the truth, or for goodness sakes, just admit you don't know or control yourself enough to not claim I don't!


I have nothing to prove to you.


Yes you do! You lied and made claims about me that aren't true based on your claim you were able to do this. You can't, and you didn't, and you still won't show that you're not a liar. I hate having to call someone a liar, but you're more than just an arrogant jerk at this point and you're plainly a liar. Not that I've care about that either, except you lied about me. I gave you no reason, no hassle and I offered you KNOWLEDGE. Your simple mind can't deal with it and you resort to continuing this. I don't even know what to say, other than I want to ... .!$$$$#$^R%!


Go argue with yourself.

You really have a knack for being so annoying, that you get yourself into situations, don't you? You seriously have got to have a mental problem to not see how obvious this is. I mean it. To act like this because you asked about it and I answered how it won't work. If it worked, you'd have proven it. Who cares? Get over it!

Robert, I'm not arguing with you anymore. Damnit! You're more anal than Anna Nicole Smith's rear end.

Originally posted by chrisb
Robert, I'm not arguing with you anymore. Damnit! You're more anal than Anna Nicole Smith's rear end.

Don't be a jerk and use lies and cheap tactis to try and impress yourself and maybe, just maybe people won't feel compelled to respond to state the TRUTHS! Who do you think you are to be acting so atrociously anwyay? You've got real problems, pal! Yeah, I must be real 'anal' to not allow you to sit there and lie about me. Imagine that. What a freaking fruitcake!!

modihost, did that SSL page help you?

That site I posted above was a bit outdated, and since the openssl and modssl sites are down most of the time, maybe this will help. This is from the modssl FAQ.

How can I create and use my own Certificate Authority (CA)? ** [L]
The short answer is to use the CA.sh or CA.pl script provided by OpenSSL. The long and manual answer is this:
Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out ca.key 1024
Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. You can see the details of this RSA private key via the command
$ openssl rsa -noout -text -in ca.key
And you can create a decrypted PEM version (not recommended) of this private key via:
$ openssl rsa -in ca.key -out ca.key.unsecure
Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted):
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You can see the details of this Certificate via the command:
$ openssl x509 -noout -text -in ca.crt
Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing.
Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand):
$ ./sign.sh server.csr
This signs the server CSR and results in a server.crt file

Unless this thread is to be closed, then the bickering must end now. Chris, it isn't unreasonable to request a URL of your discovery, now is it? If I told you I invented a robot that doesn't have a CPU or other 'brain' that could build and fly rocket ships to the moon, but you can't see it, you'd be a bit skeptical...

I personally don't care whether you prove your discovery or not, I just want the childish namecalling to end, which it will. Now.

I can appreciate the desire to remove this thread, due to the history of posts in it. I personally don't mind if the thread is trashed and it might be better in the long run. Thus far I've only seen a topic about something he's not willing to even show what he claimed and it's just a thread full of arguing otherwise. Not of much value and I think chrisb is done arguing with me anyway, which is good -- but the thread still remains without value/substance and just reflects poorly on most people involved with all the arguing. I vote to toss it, but either way I can live with. Thanks.

Originally posted by Chicken
Unless this thread is to be closed, then the bickering must end now. Chris, it isn't unreasonable to request a URL of your discovery, now is it?

If you read the entire thread, you would know why. Posting a URL is not necessary; but I would still do that if my site was ready for public display. I told how to do it except for the rewrite rules, and was going to post them. This is similar to a test script that I recently posted, where Deb stated that using SSH would do the same thing, and she was right. So, I re-iterate, a URL was not necessary.

I personally don't care whether you prove your discovery or not, I just want the childish namecalling to end, which it will. Now. [/B]

I really don't see the point of your post. I had already stopped arguing with him.

But, since YOU brought it up. I said he was arrogant. That is not name-calling; it's a factual observation. When someone says something doesn't work (basically calling you a liar) that you have tested and know that it does, and they haven't even tried it, that is arrogance.

I also said that was ignorance. Again, that is not an insult, name-calling or anything bad. If someone does not know something, they are ignorant of the facts.

After THAT, the guy started attacking me in all kinds of ways, twisting what I said, belittling me, calling me a brat, jerk, liar, etc. I never stooped to that low level. All, I did was joke about his being anal retentive.

Please reread the thread. I think you are being unreasonable and unfair here, Chicken.

2host...i respect your maturity and your viewpoint, I'm not an expert on SSL, but your explanation makes sense. And using general logic, it is obvious this method should_not_work while still encrypting data. Just know, *I* appreciate your input.

And at the same time, I appreciate the ambition for new methods of "action", your idea IS good(if you can/did get it to work), but constructive criticism should be taken in stride, not dead in the face. Please lighten up chris...

Originally posted by Beast
2host...i respect your maturity and your viewpoint, I'm not an expert on SSL, but your explanation makes sense. And using general logic, it is obvious this method should_not_work while still encrypting data. Just know, *I* appreciate your input.

And at the same time, I appreciate the ambition for new methods of "action", your idea IS good(if you can/did get it to work), but constructive criticism should be taken in stride, not dead in the face. Please lighten up chris...

Your comments are the best thing about this thread thus far. Thank you. You said it more simply than any of us here have yet. I surely had no intention (and I reiterated many times) that he will learn a lot, have fun and it's great that he's interested. He simply related me saying it won't work to calling him a liar. I latter down in the thread perhaps lost my patience, and I did call him a liar later due to other things. However, just as his "script" to test security, of which was explained in that thread too, it's not doing what he thinks. I tried to explain, and perhaps I lost my cool when he became hostile.

I don't understand why he didn't just post the URL then if that's all he intended to do (since nothing else was acceptable it seems). It's really too bad people misunderstand things to grossly and emotions run high and this sort of thing happens. I know I don't react well to insults and claims I'm arrogant, ignorant, and whatnot when all that needed to be done, was to post the information to show me I'm wrong. I don't think I am, and I'll be more than happy to eat my words, but if someone wants to argue and just claim I'm out to do it too, then it's not going to ever get anywhere.

Therefore, given the last comment of his, I think he's intent to just think I'm out to get him or ridicule him, so this thread should be trashed. We can debate or argue or discuss how this is or isn't possible, but it's a bit immature for him to say he won't post the rewrite rules because... well, I can't think of any reasons and just claim it's due to anything. I only explained it wasn't possible, before all the animosity started, he had ample time to post those rules, rather than taking offense to my simple act of explaining the problems (before anyone called him a liar or asked him to prove anyway). It simply doesn't make any sense and I think he's a little hyper sensitive about being told he's wrong. If he's not, he's free to just end it and post a URL or the rewrite rules (especially if he's going to try and put my knowledge into question).

So, again, since that's not going to happen (and I honestly don't believe it can), there's no reason to have a thread with posts about people arguing (I'm sure we can all agree on that). I appreciate anyone's honest opinion about it, the information or debate, but the topic is nonexistent. I really don't see how I could have told him he's wrong or why, without telling him he's wrong or why. I really don't see why he doesn't just post his proof and have people learn from it, or learn something himself. I don't see the point to any of this. Well, I tried. Cheers!

Speak when you are angry and you will make the best speech you'll ever regret.

- Laurence J. Peter

This thread started out with good intentions of showing others a way to manipulate SSL, and asking their opinions about it. Unfortunately, someone chose to turn it into trash inventing lies about me, calling me names such as jerk, brat, mental case, and everything else in between. Surprisingly, the moderator, Chicken, chastises me, and backs up that guy.

I apologize to anyone that was genuinely interested in SSL manipulation. As you can see, from my posts to modihost, I was trying to be genuinely helpful, and it was not me who went off the deep end with multiple lengthy posts of insults without substance.

I don't think anyone was really interested in SSL manipulation from the responses to this thread except for modihost. However, to prove that what I said is true, I will be more than happy to give anyone the rewrite rules and show them that it DOES INDEED WORK, if at least 2 different people ask for it in this thread and are not new posters. You will need to have a host that has shared SSL and your own self-signed certificate in order to test it.

I started to go thru everything Robert said and dispute it, but I don't want to take that time, so I'll just point out one more thing. He thinks that because he can see no reason for why I would not post a URL, that it must not be true.

That, again, is arrogance. Because he can't read my mind, and think of a valid reason that I might have, not to post the URL, he indicates that it must not be true, even though I explained that was not necessary to prove my claims. I already posted how and the only thing lacking are the rewrite rules. Another reason for not posting a URL is that I prefer anonymity and do not want to publish the URL to my website.

Originally posted by chrisb
This thread started out with good intentions of showing others a way to manipulate SSL, and asking their opinions about it.


Anyone reading this post, has probably seen good and well the history and order of events. No reason to try and make up a story about how it happened, we can all see the events in this very thread. You posted claiming this and never, even before this 'conflict' showed anyone any proof, URL's or "rewrite rules" you claim will work. You asked if it would work at some point, I said it wouldn't. You then called me arrogant and ignorant for saying it won't. Why didn't you simply post saying "Actually, it will, look" and have been done with it?

I hadn't called you any names, nor did I call you a liar or refer to you as a brat at that time. I did later, because you lied and acted like a brat. After all, these posts are there, unedited. They show you getting defensive and hostile. I doubt Chicken bothered to read every post, seeing how it started in the first few pages. At that point, you were just causing trouble, because I didn't agree that it's possible. You didn't start off your post saying "I've done it", you asked. I didn't come in response to a "I've managed to do this" post and say "No you didn't, liar!". That's how you make it sound, but *anyone* can read the posts and see that's not the case.

I'm not sure who you're trying to kid here? I mean, so you dislike me, because I said this isn't possible. You only had to respond showing that it is. You didn't explain anything that showed you did anything. You didn't even claim you did the entire process successfully. That is why I said that you're not going to be able to do it. Not to mock you, not to "challenge" you or your ego. You still fail to understand this, even after long, detailed and reiterated explanations. I repeatedly stated these things and did not offend you or say any such thing. This is the reason why we're here now and why this thread is likely going to ultimately be locked of trashed. The posts clearly show I did not come in to trash you, but to explain why it wouldn't work.


Unfortunately, someone chose to turn it into trash inventing lies about me,


See, now that there is a lie. You baited this entire thing to make yourself have a reason to fight with me. Why? Why bother? I didn't invent anything. You asked, I answered. I said it won't work, you never said you got it completely working and I said that you won't be able to. I gave reasons. You didn't respond saying you "have completed it", because you didn't. The lie was you saying you got it to work. The problem was you saying I was arrogant and ignorant. I still maintained being civil and attempted to explain to you what I meant, no offense was intended and that why don't you explain yourself or what you're doing better. You became more and more aggressive and started going on about how "it's people like me". I hadn't done one thing other than explain why it wouldn't work. You only needed to be civil and explain better or just provide something to outline your idea to say "Here, it does, check this out". Nay, you instead went on to argue. Do you not see that? Simply because I was fed up with your insults and said you're being a brat and I think you're lying (well into your rants and insults), and that you should provide a URL. You became more abusive and I was at the point where I wanted to just slap you, hard! To act completely irrational and unreasonable and just do nothing but fight with people that try and explain or answer your questions, you could have handled it a lot better. Whatever my reaction was in response, you either wanted it or didn't care. Either way, it's your doing. You can only push someone so far. I'd done nothing to you and you lost it. Still, you're so confused about the events, you claim this below.


calling me names such as jerk, brat, mental case,


Yes, yes and yes. I don't lie and I don't deny what I did do. I did say those things. You were being a jerk (I have no other way to describe it), you were acting like an immature brat for being so hostile for not wanting to hear what I said. You (in my opinion) would have to indeed be a complete mental case to act like that and still not get it -- and even so far as to use it to drive you to continue to assume these things about me and conjure up new one's in addition. Rather than stop and think about what I said, you took one thing the wrong way and jumped off the deep end to never return.


and everything else in between. Surprisingly, the moderator, Chicken, chastises me, and backs up that guy.


Maybe he saw it for what I did? You obviously have some chip on your shoulder. Had I known this, I'd not have responded in the first place. So I'm left with you claiming I'm an arrogant jerk, who doesn't have a clue due to ignorance and to discredit me, because you're so hypersensitive.


I apologize to anyone that was genuinely interested in SSL manipulation.


What in the world did this thread's content, before any 'issues' arose, including now, have anything to do with SSL manipulation? Were you just trying to impress people and didn't expect anyone to respond explaining it doesn't work like that, or to ask you to support your claim? Not out of a challenge, but simply to have a reason for you to have posted telling everyone what you've done? Take it for whatever you want, I obviously can't stop you.


As you can see, from my posts to modihost, I was trying to be genuinely helpful,


Yes, you did in response to another basic question of his. I'm completely honest and fair, I won't deny that. That wasn't valid to your claim though. Of course, that all has absolutely nothing to do with how you've acted towards me for no reason or your attitude -- or this topic -- or your claims.


and it was not me who went off the deep end


The heck it wasn't!


with multiple lengthy posts of insults without substance.

I have given reasons, explanations, details, theories and more, I tried to respond to your points and claims you made and those were on topic, relevant and true. You ignored or didn't understand them, insulted me, lied and accused me of being the problem, all because I posted my knowledge for your benefit. Want to prove that or me wrong? Show us a URL or your magical rewrite rules. Other than that, you're just continuing to be arrogant and mindless. The facts stand, I don't care for your stories. Just because I'm blunt when I say you're acting like a maniacal jerk, doesn't mean it's not true (just because you don't want to hear the truth -- what's new)?

So, let's perhaps agree to have this thread trashed, since I don't care about your ego anymore than you care about mine. It's wasting everyone's time and I'm completely sick of your attitude and lies. I don't have to stand by and allow you to commit these acts, because your ego is fragile. I'd have apologized for any misunderstanding, but it's apparent that it never had anything to do with that. What's left to do? You're the person you are, no reason to try and change it. So, let's move on.

Robert, you are the one that's being very immature here. I do not lie. However, I do not believe the truth is in you, and therefore am done with you. Argue all you want. I am no longer reading your posts.

Originally posted by chrisb
Robert, you are the one that's being very immature.


Yes, you've said that. Of course you can't prove that. Nonetheless, I don't think it's immature to be human or respond to your offensive claims about me. I just explained and outlined and pointed out the problems, and you want to claim that the more I explain to you, the more immature I am -- yet you can sit there and claim whatever you like? Apparently your own rules don't apply to you. To me, that's madness.


I am done with you.


You said that before. How about if you want to be done with me, you cease accusing me of being these things you continue to claim?


Argue all you want.

I'm not arguing at all. I'm pointing things out and discussing them. I'm being completely genuine and honest about it and using logic. I've even broken it down. I'm not sure what you don't get? Just because by this point I'm not being "nice" to you when you've been attacking me, doesn't mean much. After all, this is not going to be a fact you're willing to accept that is the reason for your hostility towards me, anymore than my act of saying something won't work.

Okay, perhaps I'm not one to enjoy seeing someone that's obviously ignorant about this field to come in claiming outrageous things, claiming they can do things like you claimed. You like to start threads about how "Hey everyone, do this" or "Look what I've done". Your best attempt at that, was your wonderful 'script' that would try and do an "ls -la /home". Why you needed a script for that is beyond me. Not more than two or three weeks ago. This is how advanced you are, huh? You come in claiming that "any host that doesn't pass this test, is less secure than those that do", having no idea what you were talking about. That was really over the top!

Still, people that have some skills in this field explained how that doesn't mean anything and that's less than trivial even to show anything. That is the most dog gone silly thing I've ever seen someone claim to mean something and you so smugly came in claiming how you have been learning security. You mislead people that might not know things then, just as you are in this thread. Well, it's a lot of hooey. This last big news of yours was a joke. I didn't hold it against you, I explained in detail how it means nothing. I was glad to see you interested in it and learning. You have to start somewhere. Then your post about SuEXEC and permissions, etc. and your so very basic questions. You don't understand these things and come running into a thread like an excited child trying to show off. I really don't care about that either, BUT...

Now, you are here claiming another ridiculous thing, completely inaccurate and something that's important to people. You don't understand this and got all excited about some rewrite rule trick that doesn't work how you think it does. I very politely explained and got barely technical about it even and you lost it and tried to claim I didn't know what I was talking about. I tried to politely tell you that perhaps it's not doing what you think, or you need to be more clear about what you're talking about -- because it won't work how it seemed you were claiming it will. You became abusive and started in. The reason; because there was no such thing, you probably found out that it's not doing what you think and you thought by then that I was challenging you. Then you go on about how long you're been "doing computers" (whatever that means).

I really tried to explain to you, offer reasons and you had ample opportunity to show some outline or explain. Instead, you found a scape goat to save face and save yourself from embarrassment and just decided to try and act like I was a jerk and avoid ever talking about this again. Interesting tactic, as sad as it is, but not convincing. The fact that I have to point out this obvious aspect, just says it all. Few of us here fell off the turnip truck the other day and it's pretty easy to deduce your state of mind by your actions here. Say what you want, but you can still just post your proof. We know why you won't.

Again, I don't hold it against someone for not knowing, but to spread misinformed paranoia or arrogant claims as true, is not the correct way to try and feel important. It's apparent to me, that this is the exact issue at hand and your continued comments and side stepping, and final "whatever, I don't have to show you anyway" comments and actions just support that. I never mocked you or challenged you. I gave you a chance, you failed to be civil in the face of that even. What else can I say? You instead resorted to what you did. I've explained that too. Really, I don't know who you're trying to convince. Perhaps one day you'll apologize and admit you were mistaken. It takes a man to do that, and whenever that day is, is up to you. I've said all I can say by now. I too am done with this, and I hope you can live up to your promise for at least that too. Good luck.

Originally posted by chrisb



I thought you were done? Why edit your posts to throw in more nonsense?


I don't think anyone was really interested in SSL manipulation from the responses to this thread except for modihost.


I obviously am to have clicked on it, as anyone else that did. Modihost and myself make two. Go on and show us.... go on. Anyway, when you start actually discussing it, than we'll have a thread about it. I tried, look at my first several posts to see that. Of course, given your requirements below, it's not 'manipulation' anyway. You're just using a real (shared) certificate. You didn't post data through and you didn't have things interact with each other like a real SSL session would.


However, to prove that what I said is true, I will be more than happy to give anyone the rewrite rules and show them that it DOES INDEED WORK, if at least 2 different people ask for it in this thread and are not new posters.


Conditional proof, heh? Well, you've got at least two. Myself and modihost.


You will need to have a host that has shared SSL


Here's where I say "DUH!". If you require a _certificate_ to do this, than you require a certificate! My goodness! Listen to what you're saying. "Just get yourself a real certificate and then create your own, then run through a real certificate to access your own you created". Wow, what a concept. And the point to that is what? I know what you're trying to do. It doesn't work how you think it works. Rather than say "I'll do it if..." why don't you just show people? Stop making excuses. If someone's reading the post, they must be interested.


and your own self-signed certificate in order to test it.


He he.


I started to go thru


Thru? This isn't a drive-thru.


everything Robert said and dispute it, but I don't want to take that time,


Or the proof or ability to. Of course, if what you said was true, you could just post the solution and dispute everything I said right there and then. Of course once you do, I'll explain how it doesn't work, and prove that you don't understand what you're talking about and claiming this does. I'll be fair and tell you what it is doing, but I'll also point out why it's doing it, and I'll point out what it's not doing that you think it is. If you don't want to learn, save yourself the hassle. We all know what this is leading to.


so I'll just point out one more thing. He thinks that because he can see no reason for why I would not post a URL, that it must not be true.


No, I said it's not true, because it's not. I said EITHER post the URL or your so-called solution. That requires no URL. I originally asked for only the URL because you started saying how "it's not perfected and you won't post the rules until it is" and then you said "maybe I won't post it". Either way, it's the same thing, it's the same outcome.


That, again, is arrogance.


No, that, again, is you not reading one darn thing I say and doing your best to twist the events. How in the WORLD can you have such NERVE to continue to call me arrogant, given YOUR arrogance? I mean it, you've got SOME NERVE. I don't know WHO you think you are, but... again, I can't comment further with how I feel about you and this insane attitude of yours!


Because he can't read my mind, and think of a valid reason that I might have, not to post the URL,


Because you are _lying_ or have _no idea_ what you're talking about.


he indicates that it must not be true, even though I explained that was not necessary to prove my claims.


And that excuse doesn't jive with your claim you can prove it without posting a URL. So post the rules already. Stop trying to evade the facts. You've managed to avoid responding to even one of my many valid points and just lie and twist the events and continue to say how you think I'm arrogant. Yeah, whatever, I guess that's why we all see a URL or rules posted, huh? So you sneak in to edit your posts to try and save face once again.


I already posted how and the only thing lacking are the rewrite rules.


Apparently that's ALL there is to it from what you said and you've never shown or discussed anything other than some crude grade-school level "first you need a certificate" (well, no kidding!).


Another reason for not posting a URL is that I prefer anonymity and do not want to publish the URL to my website.

I can imagine, it would be bad for business in your case. Once again, by your own admission, you claim it doesn't need to be a URL to prove, yet you try and delay the topic, interest and subject, as well as accusations, because you know good and well how this sham of yours will turn out. (Much like your "security script". The hilarity is worth the effort, I'm waiting). The more arrogant and stubborn you get, the more I'll point out the flaws in your claims and logic. However, why don't you get it out of your system and post these "magic rewrite rules" and tell people have to run through a REAL SSL certificate so they don't need a real one (huh? Yeah). Just genius. Still waiting. Yeah, mayeb I am mocking you by now in this post. Enough already, this is ridiculous!