Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Project Development
Re: Website Developers, Stop Scaring Away Your Potential Customers (SSL!)
by
nafai
on 21/07/2011, 17:29:46 UTC
You know, there's no reason for people to think of it as a red flag, because it really isn't a bad thing per se. The security comes from the fact that the communication with the server is encrypted. It doesn't matter whether the certificate is valid or not. Browsers throw up that warning for all self-signed certificates for example. It throws up the warning anytime you have a certificate that isn't on their approved "certificate authority" list, aka the SSL mafia protection racket.

The only security having a valid certificate recognized by browsers gives you is that you know who you're talking to (i.e. which website you're on). Well, sorta.

You see, if I type in https://www.paypal.com/, I get to see an SSL certificate from a trusted authority that tells me, "yep you are on the paypal website and your connection is encrypted". Great!

If I type in https://www.paypal.com/ and they have a self-signed certificate or a certificate issued by someone not on your browsers trusted certificate authority list (lots of places, especially small one-man dev shops, sign their own certificates to save money), the connection is still encrypted. It's just that I have no guarantee I am on paypals website. Except I do have a guarantee, I typed in paypal.com (hopefully). Of course, some people google search for "paypal" and then click on it.

If I type in https://www.pay-pal.info/ or some such, it might present me with a valid certificate!  Saying "congrats your connection is secure and we verify you are on the pay-pal website".

Except the pay-pal website may not be the paypal website. Ignorant people won't know the difference between paypal's real website and SSL certificate and a knockoff's fake website and fake SSL certificate.

So you see, the only real security you get from SSL is the fact that it's encrypted, not the certificate. That's why lots of people self-sign their certificate, because then you can implement SSL for free instead of having to pay an annual fee (which is per domain, so it can add up for those of us with lots of domains).

Yes, I completely agree that the browsers throw up this big scary message whenever the certificate doesn't come from one of their approved "authorities", and that's a bad first impression for your customers. But I also don't like complying with the protection racket just because it's the simplest solution. It may be easiest to just give the bully your lunch money but that doesn't mean I won't fight for alternatives.

You can direct first-time visitors to your non-SSL site so they can get to know you first, before you put them through the SSL. You can have a page to specify precisely why you use a self-signed certificate (lots of people do). Or, in my mind the ideal solution would just be for browsers to stop verifying certificates at all. There should be no warning message, unless there is a problem with the encryption itself. Your connection should either be SSL-encrypted or unencrypted, the browsers should make no attempt to identify whom you're connected with.

I post a lot on hacker news, google dev forums and the like. A lot of people think like I do, and I make every opportunity to push browser devs in this direction (or at least remind them about it), especially my favorite one Chrome. But in the meantime, I am not gonna get an "official" SSL certificate any more than I am going to pay the BBB for their own version of a protection racket.