Security Certificates

when your browser scares you with the infamous “this site is not trusted”

When you go to some sites, your browser puts a big scary security warning in your face, or pops up a "Content Blocked" balloon. But really, what does it mean?

Well, two things: (1) it has switched to Secure Sockets Layer (SSL, with https: in the address), and is now encrypting all communications, but (2) it’s SSL certificate has a problem, or it is loading something from an “insecure” (http:) source—usually an ad, image, or other remote content.

Now let’s put this into perspective.

First, you can either have an un-encrypted, plain-text connection on http port 80. Or, you can have an encrypted connection, that cannot be intercepted en-route, on https port 443. Anyone and everyone can create their own certificate (with OpenSSL) that enables this transport encryption, but unless it comes from a trusted "Certificate Authority," your browser doesn't trust it, so it gives a warning.

Second, the encryption certificate can come from anyone, or it can be issued (for a whopping fee of $100-$1500 a year) by some “approved” certificate authority (CA). These CA root certs are already in your browser, and if some site has a cert from one of them, you don’t get the nasty warning — but you do know for sure that the identity of the web site has been independently verified. This is a very good thing when you need to be sure that your bank really is your bank!

So we see two things in play: (1) https encryption and, (2) identity verification. Unfortunately, the “power-that-be” have decided that one = other. But does it?

Cases: (1) you go to log into a free site so you can post a comment. Your connection should be https, port 443, encrypted, to keep prying eyes from reading your password. Or, (2) You go to a commerce site to buy something: Your connection should be encrypted, and you should “trust” a “certificate authority” to have verified the “ownership” of the secured connection. I mean, would you really transfer money otherwise?!

In the first case, you are logging into a free site, and no personal or financial information is requested or transmitted. You really don’t need to care about a verified identity, you just want your password hidden en-route. Such sites may use a self-signed (free) SSL certificate, which causes your browser to go SSL but put that warning in your face. But if you elect to continue, you still get 100% secure mil-grade encryption of the connection. You are not buying anything, and if the site asks you for financial details, you just dump it. Simple!

In the second case, you are buying something (or accessing your financial accounts) and you need both a secure connection and verified identity. In this case, DO NOT continue past the browser’s warning! Any real bank or e-merchant will have the “trusted” certificate, with their identity verified by a CA that is known to your browser. After all, they’re making millions off you and can afford a verified identity at those high prices.

So, the long and short of it is, any site can use a free self-signed certificate to encrypt your log-in/registration page, and you browser will show a warning. All that warning means is that the encryption certificate isn’t backed by some CA (at a rip-off price) — but WTH, it’s just a free log-in to a forum or something, and if you continue, you’ll have an encrypted connection, just as good as any, with which to transmit your log-in or registration. What you don’t have is any verification of the site owner. So never give any real personal or financial information on any site without a LOCK icon and https in the address bar.

The opposite side is when you are buying something, plan to enter your CC# — in that case, never, never, never continue past a security warning! A site without a valid CA-trusted certificate that asks for personal and financial details may very well be a phishing site (it could look exactly like your bank), run by criminals that want to steal your identity.

Our Site Security

As of June 11, 2019, this site now uses a basic CA-approved SSL certificate provided by our web hosting company. You should see a lock in your address bar. You may also see an "Insecure Content Blocked" (or similar message) pop up, which is caused by some Google and Amazon ads being called in http mode. Note that their are no ads “on” this site—they are dynamically called into your browser when you load a page.

If you choose to Donate to this site, well, that’s handled by PayPal and their trusted CA.

Smart web browsing is both an art and a science.

Hope this helps,
—kv5r

One thought on “Security Certificates

Leave a Reply

Your email address will not be published. Required fields are marked *