Tech Opinion - Do you like warnings for self-signed SSL certificates?
Date: 2008feb4 Q. Do you like warnings for self-signed SSL certificates? A. Browsers scare users too much over self-signed SSL certificates. For example, Firefox popups this up: Unable to verify the identity of <sitename> as a trusted site. Possible reasons for this error: - Your browser does not recognize the Certificate Authority that issued the site's certificate. - The site's certificate is incomplete due to a server misconfiguration. - You are connected to a site pretending to be <sitename>, possibly to obtain your confidential information. Please notify the site's webmaster about this problem. Before accepting this certificate, you should examine the site's certificate carefully. Are you willing to accept this certificate for the purpose of identifying the website <sitename>? Yikes! But there are thousands (if not millions) of site out there using sign-signed certificates. Firefox and the other browsers should treat this as a special case of invalid certificates. I think there should be a configuration setting (in the browser) that lets you avoid warnings about sign-signed certificates. The lock icon in the corner should be blue or some graphic showing the site is encrypted but not certificated and ... hey that's no big deal. Why do people (including me) use self-signed certificates? - They are free - They might not trust any of the few Certificate Authorities For me, I assure you its cheapness. If Firefox and other browser really feel they need to popup a message for self-signed certificates, I would suggest something like this: The traffic with the site will be encrypted. However the webmaster has not gone to any outside authorities to "prove" this site really is <sitename>. [X] Never give me this warning again. Do you want to continue? [OK] [Cancel] Well, that's what I think anyhow.