Http vs. https: Are certificates worth the trouble?

A place to ask questions and get help. Be the first on your block to post ...

Http vs. https: Are certificates worth the trouble?

Postby Erin Paseka » Fri Apr 25, 2008 10:54 am

I have some webforms (e.g., an RSVP form) that don't use SSL/https, and occasionally users ask why they don't see the little lock icon, or why their browser is telling them that things might be unsecure.

Correct me if I'm wrong, but as far as I can tell, a certificate only assures the user that the server is managed by the expected entity, sort of. It doesn't actually encrypt the form data, right? In the effort to keep data secure, isn't a "this webform is not a spoof" assurance small potatoes compared to encryption of data being sent/received, restriction of access to the server, safe data storage practices, etc.?
Erin Paseka
 
Posts: 147
Joined: Tue Jul 13, 2004 3:02 pm
Location: Graduate Studies

Postby bbieber2 » Mon Apr 28, 2008 9:24 am

a certificate only assures the user that the server is managed by the expected entity, sort of. It doesn't actually encrypt the form data, right?


Well... yes and no.

Having a certificate and posting the data with https & SSL means the data will be sent encrypted to the server. No matter what the signing details of the certificate state, it will still be sent encrypted over the wire (.... side note... there are different levels of encryption too).

But, as you allude to, the question of who owns the server that you're sending the data to is the larger problem of security on the web.

Who's to say that I can't call myself 'Wells Fargo' and put those details in the certificate? No one. I could certainly do that... but this is where the certificate authorities and signers come in. The big names in certificates (Thawte, Verisign etc) put their name on the line by doing the legwork to track down and verify that the person filing for the SSL certificate is who they say they are. Usually a phone call, mailing address confirmation etc.

When it becomes an issue is when a user accesses your site.... if your certificate is signed by one of the big guys ($$$), the secure access will just happen without much fanfare (just a lock icon, https address etc)... because the browser trusts these certificate signers. But, if you didn't spend the money for a certificate signed by a reputable authority, the user will be bombarded with questions -- "the site signed this certificate themselves!, check out the details, and know who you're submitting the data to before you send anything sensitive. Are you sure you want to continue..? Just this once, always?"

Now what I've said isn't 100% true, but that's my real feelings about security on the Internet and how it revolves around money.
There are many certificate authorities which are included by default in every browser, and a certificate signed by one of these certificate authorities will not raise any flags with the end user. You can see the list of authorities the Mozilla group trusts by going to Prefereces>Advanced>Encryption>View Certificates>Authorities in Firefox.

Some of these charge more, some less, and some are free. Some charge more for the level of encryption (128 bit, 256, 1024). Some charge by the details in the certificate - just server name is free, but if you want it to say "Big Barney's Bank & Trust at 1st & Broadway" it will cost you more.

I think privacy on the Internet should be free for everyone, and it is! But it all goes back to who really owns the server... if send data to wellsfrago.com - is that really sending it to the place I keep my money..? How do I know...? There's the certificate authorities, and recently services provided by Microsoft and Firefox to give you additional information about domains to prevent phishing etc.

If you control the server, it's really no big deal to add a self-signed certificate to get some level of security. But, the questions you receive from people saying "why isn't there a lock icon?" are probably less than the ones you'll get saying "It says I shouldn't trust your server because it's using a self-signed certificate."

We have some advantages, being in an educational institution. There are authorities which will give us signed ssl certificates for free - and, they are a 'trusted authority' by most modern browsers.
ipsCA is free for .edu I believe, and CAcert is free for everyone, but last I checked was only included by default in Firefox (this could be different by now).

http://certs.ipsca.com/
http://www.cacert.org/

Some others here can probably share some more experiences with certificates on the Internet, but that's how I'd summarize ssl certs.
bbieber2
 
Posts: 58
Joined: Mon Nov 05, 2007 1:28 pm


Return to Help & Assistance

Who is online

Users browsing this forum: No registered users and 1 guest

cron