Tech Opinion - Do you like warnings for self-signed SSL certificates?
Date: 2008feb4
Q. Do you like warnings for self-signed SSL certificates?
A.
Browsers scare users too much over self-signed SSL certificates.
For example, Firefox popups this up:
Unable to verify the identity of <sitename> as a trusted site.
Possible reasons for this error:
- Your browser does not recognize the Certificate Authority that issued the
site's certificate.
- The site's certificate is incomplete due to a server misconfiguration.
- You are connected to a site pretending to be <sitename>, possibly to
obtain your confidential information.
Please notify the site's webmaster about this problem.
Before accepting this certificate, you should examine the site's
certificate carefully. Are you willing to accept this certificate for
the purpose of identifying the website <sitename>?
Yikes! But there are thousands (if not millions) of site out there using
sign-signed certificates. Firefox and the other browsers should treat this
as a special case of invalid certificates. I think there should be a
configuration setting (in the browser) that lets you avoid warnings
about sign-signed certificates. The lock icon in the corner should be
blue or some graphic showing the site is encrypted but not certificated
and ... hey that's no big deal.
Why do people (including me) use self-signed certificates?
- They are free
- They might not trust any of the few Certificate Authorities
For me, I assure you its cheapness.
If Firefox and other browser really feel they need to popup a message
for self-signed certificates, I would suggest something like this:
The traffic with the site will be encrypted.
However the webmaster has not gone to any outside authorities
to "prove" this site really is <sitename>.
[X] Never give me this warning again.
Do you want to continue?
[OK] [Cancel]
Well, that's what I think anyhow.