Slashdot Mirror
Free SSL Certificate Project
An anonymous reader writes "Do you have a website or run even a web server and want to secure the traffic between your visitors browser and the web site? Did you find out, that in order to make your site SSL aware, you'll need a SSL (Secure Sockets Layer) certificate? Are you also surprised to find out that such a certificate can cost you up to a few hundred dollars, valid for one year only? For what, you might ask yourself? Linuxlookup.com is running a small article on free SSL certificates."
Just explain to your customers why you cert isnt registered.
Are steak-knives included in the article? Here's a tip for the AC. Don't make your post sound like a cheap advert. This is a news aggregator (well, it claims to be anyway). Articles should have summaries in a manner that most respected news-sources use. Not like some used car salesman. And if this is off-topic. Sorry, but I'm discussing all that I can, the article summary. The site's down so I can't read the article itself.
Anyone CAN get one! All you have to do is pay X amount of money.
Besides, do you really trust people such as Verisign to actively control certs?
Like being able to self-issue a certif is new? Used some random tool that came with MS Office to do it last time I had a use for one, of course that was Office 2K or thereabouts but it's probably still there, and there are probably alot of other ways to self-issue one. The entire point of the big expensive ones is that you have a "trusted" authority validating the transaction.
Common sense says, make sure the StartCom CA Certificate is not on any of my machines!
The entire point of using certificates is so that you know that there is a certified binding between a public key and an identity. If you don't know who will recieve your encrypted information then there's no point encrypting it in the first place!
In fact, even mod_ssl has information on how to do so on the site:
http://www.modssl.org/docs/2.6/ssl_faq.html#ToC27
- - - - - Fear not the reaper, but my shiny white teeth.
Oh and he was protecting his customers by parading around to the press with his lips attached to Daryl's buttocks right? You do remember him traveling around with Daryl spewing their BS to everyone right? Give me a frigging break I won't buy crap from them, I also refuse to help anyone hosting stuff on their servers.
Got Code?
Think about this for a minute... The purpose of SSL is not to secure data during transport, it is to secure data during transport AND to verify to the sender that the reciever is who they claim to be.
Without identity verification there is NO POINT in encryption for most usages.
The point is to make the person who is submitting their credit card number resonably secure in the knowledge that they are sending it to who they think they are. This cannot happen without identity verification.
- sigs are stupid
1. Getting an SSL certificate can require that you fax a copy of your articles of incorporation, public contact information, etc. Someone ends up doing some legwork to ensure that you are who you say you are and that you can be tracked down in the event that there is a complaint.
2. Virtual hosts often share a single IP among many websites. You can't just authorize a name; SSL requires (from my understanding) a unique IP. That would make the IPv4 system even more strained.
3. Certification pricing is partly based on trust. Anyone can generate a free certificate. But it won't work with every system because it wasn't created by a "trusted provider."
If you can't afford a $200US/year fee for conducting "secure" business online, I probably wouldn't want to do business with you anyway.
Well, the point of SSL is to encrypt communications. But the point of a signed certificate is to prevent impersonation. If a trusted authority allows anyone to get a certificate for any domain name, then it becomes easy to impersonate someone's site.
I'm not sure what the point of this is, if the browsers don't have these folks listed as trusted authorities. You can already sign your own certificate and get the same effect. But if you are asking your customers/users to accept a certificate that is not signed by a trusted authority, you are leaving yourself open to being impersonated.
Many fine, relevant comments have already been made in this thread. But I didn't see anyone point out the downside of free SSL certificates: free phishing sites!
Yes, it's possible to freely self-sign certificates to get encryption. I run my own certificate authority for encrypting traffic among my clients, if they aren't conducting e-commerce. These self-signed certificates work fine without triggering a browser warning--if you import the certificate authority certificate.
For my public/e-commerce sites, I use FreeSSL, at $35/year. This buys me a blessing from a CA that is pre-installed in over 95% of all browsers in use. What's not covered? Konqueror. Curl. I think Safari, though I haven't checked recently. For my clients who want those to work, I suggest spending the ~$120 or so for a Geotrust cert.
Now, imagine if every spammer in the world could get an SSL certificate for free... Already domains are cheap enough that they can set them up to easily spoof real web sites--banks, etc. Imagine if every one of those had an SSL certificate, and didn't trigger a browser warning? Most people I know look for the lock. If the lock is there, they trust the site. They don't actually look at the certificate, or even the URL much.
For this reason alone, I'm glad certs aren't free. You can do encryption for free, but I'd prefer my browser to at least let me know the site I'm visiting is too cheap to buy a real cert. (that's not meant as a slam, since I'm too cheap to buy one for most of my sites...).
Cheers,
Freelock Computing
Open Source Solutions for Small Business Problems
Freelock Computing