Self-Signed SSL Certificates
SSL allows you to serve encrypted web pages to website visitors over the HTTPS protocol. Certificates must be signed in order to not set off browser flags that will question your site’s authenticity. But OpenSSL also provides the option to create a self-signed certificate, and many web hosting control panels have an option for it.
In most circumstances involving financial transactions, you should purchase a signed certificate, but there are instances when self signing will suffice. Some examples include private intranets, internal business groupware, web-based control panels, and other content backends. In all of those situations, you need encryption, but it does not matter to you if the certificate is official since you are the one who signed it.
You will still receive the browser warning the first time, but your browser should have a function that allows you to add your site to your browser’s trusted sites. From then on, you will not see the warning, although other users still would see it. If you ever decide that you do actually need to purchase a certificate, you can always change it later. For information about creating a self-signed certificate, see this site.
Photo Source: Flickr
Tag: browser, certificates, https, openssl, self-signed, ssl
What You Should Know About SSL Certificates
SSL certificates allow website owners to provide something like a badge of authenticity to their users. In theory a website with a valid certificate should be trustworthy and secure. By default, web browsers will recognize a number of certificate authorities, companies that sell annual certificates and verify them. Depending on the company selling the certificate and the level of encryption, they can run from free to nearly $500.
When a web browser connects to a site without a valid certificate, the user will receive a nasty warning about the site not being trusted. This increases the chances that a user may not stay on the site, and if you are a business, it means that customers may be unwilling to proceed with sales transactions. In some cases, you may even have a self-signed certificate with perfectly secure encryption, but the user’s web browser will stay say it is untrusted.
Purchasing a certificate is only the beginning of the process. You will need to setup your server correctly to use it. Each secure HTTPS site will require a unique IP address and correct certificate authority information that matches the certificate. If anything does not match (such as the domain name – common problem with domain CNAME aliases), web browsers will still spit out errors. Be mindful of all these factors as you choose the right certificate for you.
Photo Source: Flickr
Tag: certificates, encryption, https, secure, server, ssl
Most web users ignore security certificate warnings
How many times have you searched for the perfect site about the new summer action movie and clicked on a link only to be presented with a warning about a certificate. Do you stop and read the warning? Do you investigate the certificate? Would you even know if the certificate could not be trusted? According to a new study, most web users ignore their browser security certificate warnings.
SSL certificates are supposed to provide users with a level of encryption they can trust for secure (HTTPS) sites. But when a window pops up telling a user the certificate is invalid or has a problem, what should the user do? Carnegie Mellon researchers conduct a study of 409 participants to determine just that. Of the 50 percent of Firefox 2 users who even knew they were being given a security warning, 71 percent said they would ignore it.
With Mozilla Firefox 3 makes it more difficult to ignore because users have to add an exception in order to allow access to the site, but the looming questions still remain. How do users know which sites to trust? Unless they are security experts, what safety protocols could they reasonably put in place? Website owners certainly bear the brunt of the responsibility to make sure their certificates are properly signed, and this is especially important for financial institutions. The complete findings of the study will be released August 14.
Source: ZDnet Asia
Photo: Flickr