Wanted to open a can of worms...
Posted: Wed Dec 09, 2009 11:27 am
This might be over a lot of peoples heads. Heck its a little over mine. But the fact that it involves Firefox and chrome and IE made me think. Im talking about SSL. You know when you visit a site in firefox that uses HTTPS but comes up and says unverified CERT. You have click and click and click to say verified...get me to the site... Im thinking this process is how firefox and other browser companies bank in loads of money. Here is what im thinking.
Kind of a little thing on how SSL works behind the scenes. These days when you want to have a cert for your HTTPS site to be secure so those errors dont pop up, you use something like openssl to generate the cert on a local computer. From there it will generate a .csr file which you then send off to a company like Verisign for hundreds of dollars. As a matter of fact there are a handful of CA (certificate authority) companies out there that do just this. They charge a nominal fee to "verify" your cert. By verifying, all they do is take the information from the .csr like the address, domain, phone number, etc.. and make a call and drill questions. "Is this your address?" "Is this your phone number?" and if everything checks out, they say VERIFIED! and send the proper file back for the client to insert into their web server. After that, no more errors saying invalid cert and everyone feels all fuzzy inside. Here is where my worms start to crawl out:
Spending hundreds of dollars or not, anyone out there can VERIFY/Sign their own CERT for their website so it will be properly encrypted. It doesnt take a phone call to answer some questions to make a website secure. If you open firefox and navigate to TOOLS>OPTIONS>ADVANCED>VIEW CERTIFICATES You will see all the CA companies that are pre-populated in that list. By being in that list those sites certs wont come up with that error and little granny doesnt have to worry if she is visiting a bad site or not. Knowing that anyone can generate their own cert, Sign it them selves, and add it to thier website to make it PROPERLY SECURE, why do you have to click a bunch of buttons saying its not?
My best guess is these companies pay browser makers to implement these features so that people will have to pay CA companies to not get a message that scares most people. If you see the little lock in the lower right corner and you are on an HTTPS site, your secure! Obviously there is a lot more to it than that e.g. a site can be fraudulent or is hacked behind the scenes but still be secure. My point being is why do website owners have to pay hundreds of dollars to get a phone call to make a site "VERIFIED"?????
Ill tell you what, I would be one heck of a business to get into. Start your own CA company. Charge 30-50 bucks to sign a cert that all it takes is to type a single command in OPENSSL and send it on its merry way. Quick easy cash. The only draw back would be to spend hundreds of thousands of dollars to have your company be put in the list of CERT verified companies in thier next update.
I hope this makes since, I explained as best I could...(i dont do that very well)
Kind of a little thing on how SSL works behind the scenes. These days when you want to have a cert for your HTTPS site to be secure so those errors dont pop up, you use something like openssl to generate the cert on a local computer. From there it will generate a .csr file which you then send off to a company like Verisign for hundreds of dollars. As a matter of fact there are a handful of CA (certificate authority) companies out there that do just this. They charge a nominal fee to "verify" your cert. By verifying, all they do is take the information from the .csr like the address, domain, phone number, etc.. and make a call and drill questions. "Is this your address?" "Is this your phone number?" and if everything checks out, they say VERIFIED! and send the proper file back for the client to insert into their web server. After that, no more errors saying invalid cert and everyone feels all fuzzy inside. Here is where my worms start to crawl out:
Spending hundreds of dollars or not, anyone out there can VERIFY/Sign their own CERT for their website so it will be properly encrypted. It doesnt take a phone call to answer some questions to make a website secure. If you open firefox and navigate to TOOLS>OPTIONS>ADVANCED>VIEW CERTIFICATES You will see all the CA companies that are pre-populated in that list. By being in that list those sites certs wont come up with that error and little granny doesnt have to worry if she is visiting a bad site or not. Knowing that anyone can generate their own cert, Sign it them selves, and add it to thier website to make it PROPERLY SECURE, why do you have to click a bunch of buttons saying its not?
My best guess is these companies pay browser makers to implement these features so that people will have to pay CA companies to not get a message that scares most people. If you see the little lock in the lower right corner and you are on an HTTPS site, your secure! Obviously there is a lot more to it than that e.g. a site can be fraudulent or is hacked behind the scenes but still be secure. My point being is why do website owners have to pay hundreds of dollars to get a phone call to make a site "VERIFIED"?????
Ill tell you what, I would be one heck of a business to get into. Start your own CA company. Charge 30-50 bucks to sign a cert that all it takes is to type a single command in OPENSSL and send it on its merry way. Quick easy cash. The only draw back would be to spend hundreds of thousands of dollars to have your company be put in the list of CERT verified companies in thier next update.
I hope this makes since, I explained as best I could...(i dont do that very well)
