Security Certificates

when your browser scares you with the infamous “this site is not trusted”

When you first go to register or log-in on this site, your browser puts a big scary security warning in your face. But really, what does it mean?

Well, two things: (1) it has switched to secure (https:) mode, and is now encrypting all communications, and (2) it’s doing so with my self-signed SSL certificate.

Now, let’s put this into perspective.

First, you can either have an un-encrypted, plain-text connection on http port 80. Or, you can have an encrypted connection, that cannot be intercepted en-route, on https port 443. Anyone and everyone can create their own certificate that enables this transport encryption.

Second, the encryption certificate can come from anyone, or it can be issued (for a whopping fee of $100-$1500 a year) by some “approved” certificate authority (CA). These CA root certs are already in your browser, and if some site has a cert from one of them, you don’t get the nasty warning — but you do know for sure that the identity of the web site has been independently verified. This is a very good thing when you need to be sure that your bank really is your bank!

So we see two things in play: (1) https encryption and, (2) identity verification. Unfortunately, the “power-that-be” have decided that one = other. But does it?

Cases: (1) you go to log into a free site so you can post a comment. Your connection should be https, port 443, encrypted, to keep prying eyes from reading your password. Or, (2) You go to a commerce site to buy something: Your connection should be encrypted, and you should “trust” a “certificate authority” to have verified the “ownership” of the secured connection. I mean, would you really transfer money otherwise?!

In the first case, you are logging into a free site, and no personal or financial information is requested or transmitted. You really don’t need to care about a verified identity, you just want your password hidden en-route. Such sites, like this one, use a self-signed (free) SSL certificate, which causes your browser to go SSL but put that warning in your face. But if you elect to continue, you still get 100% secure mil-grade encryption of the connection. You are not buying anything, and if the site asks you for financial details, you just dump it. Simple!

In the second case, you are buying something (or accessing your financial accounts) and you need both a secure connection and verified identity. In this case, DO NOT continue past the browser’s “not trusted” warning! Any real bank or e-merchant will have the “trusted” certificate, with their identity verified by a CA that is known to your browser. After all, they’re making millions off you and can afford a verified identity at those high prices.

So, the long and short of it is, any site (like this one) can use a free self-signed certificate to encrypt your log-in/registration page, and you browser will show a warning. All that warning means is that the encryption certificate isn’t backed by some CA (at $100-$1500/year rip-off price) — but WTH, it’s just a free log-in, and if you continue, you’ll have an encrypted connection, just as good as any, with which to transmit your log-in or registration.

The opposite side is when you are buying something, plan to enter your CC# — in that case, never, never, never continue past a security warning!

Hey, you’re not buying anything here, we don’t ask you for any financial stuff, and so we don’t pay some CA $100-$1500/year to verify our identity. If we did, we’d have to bill you for access! And if you choose to Donate to this site, well, that’s handled by PayPal and their trusted CA, not us.

In my opinion, combining encryption with identity verification is a big scam: both encryption and identity verification should be free for everyone — or there should be low-cost (non-profit) alternatives for non-commercial sites. Yes, there are few “free” verified SSL certificate providers, but then you get to the fine print: if you even have so much as a Donate button or Google ad on the site, they consider it “commercial” and deny your request! Then they try to up-sell you into one of their expensive commerce certs.

I, for one one of millions, do not have the money to pay to officially “trust” my identity, but you can still enjoy the fruits of my labor, including an encrypted log-in.

Smart web browsing is both an art and a science.

Hope this helps,
—kv5r

One thought on “Security Certificates

Leave a Reply

Your email address will not be published. Required fields are marked *