So the point of an SSL certificate is so your clients can be ensured that you are who you are. The problem is that this comes at a price. Verisign charges $995 for a one year cert. This is out of reach for normal users and non-profits.
Verisign and other Certificate Authorities issue digitally signed certificates for your domain name. What does this mean? Your browser has some number of root certificates stored in it at install time. When your browser pulls your certificate off a web server it checks the digital signature of the Certificate Authority. If it matches one in the list of installed certificates then you go right into the site. If it doesn’t match you get a warning.
What does this mean to Joe user? Well for sites that can not afford a Certificate Authority signed cert you’ll get an error which you’ll blindly hit accept. This voids the entire purpose of a certificate in the first place.
What can you do to help make the web a more secure place? You can support Certificate Authorities such as the folks at http://www.cacert.org. You can support them in three ways.
- If you maintain a web site then please use certificates from cacert.org. The more people that use cacert.org signed certificates the more force you put behind the movement.
- Petition the development group of your favorite browser to include cacert.org’s root certificate in their browser distribution. This will also help generate a critical mass.
- Manually add the cacert.org root certificate to your browser installation. This ensures that when you goto a cacert.org web site you will benefit from the knowledge that the web site you are visiting really is what you think. Directions for this are here.
So how do you know that cacert.org is as secure and reliable as a commercial Certificate Authority such as Verisign? Well that is up to you to gage your level of trust. To-do this please visit their web site. At their web site you’ll see the level of effort they go through to ensure integrity is maintained. Procedures such as in person assurer verification requiring two government picture IDs. Such as a root certificate server that is not on a network, attached to the world only via a serial cable, and an intrusion detection setup that shuts the machine down on any sign of non-standard access.
You already support the open source community by using such software as Firefox, Thunderbird, google, email, etc. Start to support other open initiatives such as cacert.org. Their procedures are as secure if not more secure then commercial companies that provide the same level of service.
cacert.org sounds like a good idea, but really it is quite useless right now and I dont expect it to change anytime soon.
That is so because NONE of the mainstream browsers include their root certs, hence all visitors have to click away 2 warnings (which most will do however).
Now what is the difference to using a SELF-signed certificate then? None actually, encryption works, same warnings to be clicked away unless you manually import a root cert. So where’s the point to go through the tedious cacert process? None really.
That is a bit sad but it simply is that the browser manufacturers exploit their monopol and charbe big bucks for audits to get your root ca included. And those going through that process want big ROI and hence charge rip-off prices. Really a realistic price for a email-response validated cert is like 1$ / year and for a manually document validated about 20$. But the certs that work without warning on the browsers are always way more expansive so simply keep your hands off em I would say.
Alternatives with at least some merits are:
1. http://www.startssl.com/, free, only firefox 2.0 on, but at least one major browser. Sigh. Currently the best truly free version.
2. Use a commodo test certificate. Renew it every 90 days. Not really handy but saves the rip-off prices. Commodo is a little less rip-off than verisign and so but still by a large factor too expansive.