Update: Some of the information below is out of date. As of 2011-Jan-23 I have replaced my free CAcert certificate with a free StartCom certificate which has much more browser coverage. Every time I posted a link to my blog I was getting more comments about the SSL setup than the article I was posting about.
I’ve been asked a few times recently why this website has started generating SSL certificate warnings. People mistakenly think that my setup is broken in someway, that I’ve made some sort of mistake and that my website is somehow insecure because of it. However, my SSL setup is the way it is by design.
In the past, I used RapidSSL for my certificates as they were reasonably cheap. It bothered me that I had to pay anything for SSL certificates though. It doesn’t cost anything to generate one; just a few cpu cycles. The cost is to cover the fact that they have to “validate” that you own the domain you’re buying the certificate for. Well nowadays the validation pretty much comprises of sending an email to an admin email address, and maybe making an automated phone call. How much does that cost? A fraction of a penny? And yet they charge ridiculous fees… 50 dollars or more per year is not an unusual price. The infrastructure required to run a CA with automated validation, isn’t difficult to build; I’m sure I could put one together in a weekend.
So back to my website. People assume that my certificate is “self signed” when they see the warning. This is not the case. My certificate is signed by CAcert. They’re just like any of the other CAs except that they’re a none profit organisation, their certificates are free, and their root isn’t in your browser yet. Their “none EV“ validation is just as comprehensive as any of the other CAs. If you want to manually install the CAcert root certificate, just go to this page and select the appropriate link for your browser/OS. Then my site, and any other site using CAcert, wont generate these warnings for you anymore.
I would expect most people aren’t interested in installing SSL root certificates manually and that’s fair enough. The beauty of my setup is that you get to manually decide whether or not you trust the certificate, rather than having a CA do it for you. Even if you don’t trust the certificate, what’s the harm in continuing anyway if you’re not going to be posting personal information or login credentials? That’s your call to make. I’m a pragmatist though, so if this website was anything other than a technical blog for geeks to read, I would still be using a certificate signed by one of the CAs in your browser. I know that in general people don’t like these warning messages and think something iffy is going on when they see them. My audience should be tech-savvy enough to understand what is going on when they see the warning when visiting my website though.
EV certificates are an entirely different matter. I have no problem with them costing more money. EV certificates exist to prove to the user that they aren’t just talking to the domain they think they’re talking to, but that they’re also talking to the correct company. This level of validation obviously costs more money.
My hope is that one day I will be able to publish a fingerprint of my SSL certificate in the DNS, secured by DNSSEC, and that would be enough to prove to your browser that the correct certificate is being used. People who want to use a CA to vouch for their cert are welcome to do so, but those of us who want to “self vouch” for free, would also have that option. This would even be useful for people with certificates signed by one of the CAs in your browser; at the moment, hundreds of CAs can generate valid certificates for their domain, but with the additional DNS check, the user would know that the certificate was vouched for by a known CA and the person running the domain.
StartSSL was mentioned to me because they offer some free certificates, but also have their root in some browsers. I was going to try them out but I was put off when I tried to log in using Firefox, was redirected to https://auth.startssl.com/, and was shown the following error message: “An error occurred during a connection to auth.startssl.com. SSL peer was unable to negotiate an acceptable set of security parameters.” If they can’t make SSL work on their own website for Firefox users, why should I have any confidence in them? I also tried connecting using openssl from a Debian box without luck.