Wanted to open a can of worms...

[Dragon_Cooler]

This might be over a lot of peoples heads. Heck its a little over mine. But the fact that it involves Firefox and chrome and IE made me think. Im talking about SSL. You know when you visit a site in firefox that uses HTTPS but comes up and says unverified CERT. You have click and click and click to say verified...get me to the site... Im thinking this process is how firefox and other browser companies bank in loads of money. Here is what im thinking.

Kind of a little thing on how SSL works behind the scenes. These days when you want to have a cert for your HTTPS site to be secure so those errors dont pop up, you use something like openssl to generate the cert on a local computer. From there it will generate a .csr file which you then send off to a company like Verisign for hundreds of dollars. As a matter of fact there are a handful of CA (certificate authority) companies out there that do just this. They charge a nominal fee to "verify" your cert. By verifying, all they do is take the information from the .csr like the address, domain, phone number, etc.. and make a call and drill questions. "Is this your address?" "Is this your phone number?" and if everything checks out, they say VERIFIED! and send the proper file back for the client to insert into their web server. After that, no more errors saying invalid cert and everyone feels all fuzzy inside. Here is where my worms start to crawl out:

Spending hundreds of dollars or not, anyone out there can VERIFY/Sign their own CERT for their website so it will be properly encrypted. It doesnt take a phone call to answer some questions to make a website secure. If you open firefox and navigate to TOOLS>OPTIONS>ADVANCED>VIEW CERTIFICATES You will see all the CA companies that are pre-populated in that list. By being in that list those sites certs wont come up with that error and little granny doesnt have to worry if she is visiting a bad site or not. Knowing that anyone can generate their own cert, Sign it them selves, and add it to thier website to make it PROPERLY SECURE, why do you have to click a bunch of buttons saying its not?
My best guess is these companies pay browser makers to implement these features so that people will have to pay CA companies to not get a message that scares most people. If you see the little lock in the lower right corner and you are on an HTTPS site, your secure! Obviously there is a lot more to it than that e.g. a site can be fraudulent or is hacked behind the scenes but still be secure. My point being is why do website owners have to pay hundreds of dollars to get a phone call to make a site "VERIFIED"?????

Ill tell you what, I would be one heck of a business to get into. Start your own CA company. Charge 30-50 bucks to sign a cert that all it takes is to type a single command in OPENSSL and send it on its merry way. Quick easy cash. The only draw back would be to spend hundreds of thousands of dollars to have your company be put in the list of CERT verified companies in thier next update.

I hope this makes since, I explained as best I could...(i dont do that very well)

[Darkstar]

http://www.startssl.com/

Free SSL certs from a CA company

[dicecca112]

Plus if you have a Windows Server OS you can create your own Certificate Authority, and issue your own

[Darkstar]

Plus if you have a Windows Server OS you can create your own Certificate Authority, and issue your own

which you pretty much have to do if you want to use windows mobile phones, etc. without paying one of the big guys....

[dicecca112]

Plus if you have a Windows Server OS you can create your own Certificate Authority, and issue your own

which you pretty much have to do if you want to use windows mobile phones, etc. without paying one of the big guys....

Hey I set one up for work, it can't be that hard if I can do it

[Darkstar]

Plus if you have a Windows Server OS you can create your own Certificate Authority, and issue your own

which you pretty much have to do if you want to use windows mobile phones, etc. without paying one of the big guys....

Hey I set one up for work, it can't be that hard if I can do it

Its not whats scary though is how easy it is for anyone to connect an iphone to a network......

[Sporg]

Ah crap, thanks for the reminder on figuring out a client problem. Stupid Palm Centro and exchange 2003 not communicating...GARRRRR!!!!

[Dragon_Cooler]

Plus if you have a Windows Server OS you can create your own Certificate Authority, and issue your own

That is the thing.. Anyone can create thier own and sign and verify it. But if you create your own it will come up with the cert verification error that you have to click "I understand the risks" etc...

Did no one see where I was getting at? lol

If your cert isnt made through verisign or those companies in the list in firefox it comes up with that error. People that dont know any better see that error and dont visit the site. So you are left to pay money to get a "verified" cert so people will visit your site.

[dicecca112]

Plus if you have a Windows Server OS you can create your own Certificate Authority, and issue your own

That is the thing.. Anyone can create thier own and sign and verify it. But if you create your own it will come up with the cert verification error that you have to click "I understand the risks" etc...

Did no one see where I was getting at? lol

If your cert isnt made through verisign or those companies in the list in firefox it comes up with that error. People that dont know any better see that error and dont visit the site. So you are left to pay money to get a "verified" cert so people will visit your site.

Not true, if you do your certs right, no error. We have plenty of SSLified sites running in the office that don't pull that error, and I issued all the certs myself