[thelist] SSL Certificate Choices

Ken Schaefer Ken at adOpenStatic.com
Sun Jan 27 19:17:42 CST 2008


Are you kidding?

If you have a site targeted to the general public, and they browse to some supposedly "secure" page and are presented with a big red URL in their address bar, and some obscure warning, they believe that your site is secure?

And *no* you can't just put the whole intermediate chain on your server and avoid a warning. The root CA's cert must in the user's trusted cert store. Some browsers can then request the required intermediate CA certs if they chain back to a trusted root CA that the browser already trusts (some mobile devices etc can *not* do this, so you need to be aware of that if you are targeting anything other than desktop OSes)

Cheers
Ken

-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Joshua Olson
Sent: Saturday, 26 January 2008 11:27 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] SSL Certificate Choices

> -----Original Message-----
> From: kasimir-k
> Sent: Friday, January 25, 2008 5:54 PM
>
> Using a free certificate the visitors must usually excplictly
> accept the CA as trusted. And if it is a site targeted to
> general public, the browser popping up a question "do you
> really trust this certificate authority?" does not appear
> too trustworthy...

I do not concur with the premise of this argument.  Free or inexpensive
certificates do not inherently present such a message--all that is required
to avoid the message is to put the intermediate certificates (the whole
chain) on the server.

Check out alphaSSL.

Joshua



More information about the thelist mailing list