[thelist] SSL Certificate Choices

Ken Schaefer Ken at adOpenStatic.com
Sun Jan 27 19:17:42 CST 2008

Are you kidding?

If you have a site targeted to the general public, and they browse to some supposedly "secure" page and are presented with a big red URL in their address bar, and some obscure warning, they believe that your site is secure?

And *no* you can't just put the whole intermediate chain on your server and avoid a warning. The root CA's cert must in the user's trusted cert store. Some browsers can then request the required intermediate CA certs if they chain back to a trusted root CA that the browser already trusts (some mobile devices etc can *not* do this, so you need to be aware of that if you are targeting anything other than desktop OSes)


-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Joshua Olson
Sent: Saturday, 26 January 2008 11:27 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] SSL Certificate Choices

> -----Original Message-----
> From: kasimir-k
> Sent: Friday, January 25, 2008 5:54 PM
> Using a free certificate the visitors must usually excplictly
> accept the CA as trusted. And if it is a site targeted to
> general public, the browser popping up a question "do you
> really trust this certificate authority?" does not appear
> too trustworthy...

I do not concur with the premise of this argument.  Free or inexpensive
certificates do not inherently present such a message--all that is required
to avoid the message is to put the intermediate certificates (the whole
chain) on the server.

Check out alphaSSL.


More information about the thelist mailing list