So the point of an SSL certificate is so your clients can be ensured that you are who you are. The problem is that this comes at a price. Verisign charges $995 for a one year cert. This is out of reach for normal users and non-profits.
Verisign and other Certificate Authorities issue digitally signed certificates for your domain name. What does this mean? Your browser has some number of root certificates stored in it at install time. When your browser pulls your certificate off a web server it checks the digital signature of the Certificate Authority. If it matches one in the list of installed certificates then you go right into the site. If it doesn’t match you get a warning.
What does this mean to Joe user? Well for sites that can not afford a Certificate Authority signed cert you’ll get an error which you’ll blindly hit accept. This voids the entire purpose of a certificate in the first place.
What can you do to help make the web a more secure place? You can support Certificate Authorities such as the folks at http://www.cacert.org. You can support them in three ways.
- If you maintain a web site then please use certificates from cacert.org. The more people that use cacert.org signed certificates the more force you put behind the movement.
- Petition the development group of your favorite browser to include cacert.org’s root certificate in their browser distribution. This will also help generate a critical mass.
- Manually add the cacert.org root certificate to your browser installation. This ensures that when you goto a cacert.org web site you will benefit from the knowledge that the web site you are visiting really is what you think. Directions for this are here.
So how do you know that cacert.org is as secure and reliable as a commercial Certificate Authority such as Verisign? Well that is up to you to gage your level of trust. To-do this please visit their web site. At their web site you’ll see the level of effort they go through to ensure integrity is maintained. Procedures such as in person assurer verification requiring two government picture IDs. Such as a root certificate server that is not on a network, attached to the world only via a serial cable, and an intrusion detection setup that shuts the machine down on any sign of non-standard access.
You already support the open source community by using such software as Firefox, Thunderbird, google, email, etc. Start to support other open initiatives such as cacert.org. Their procedures are as secure if not more secure then commercial companies that provide the same level of service.