Most people want SSL to provide over the wire encryption for some of their data. The desired use of SSL is mainly restricted to protecting the logon form in a cookie based session management / authentication scheme. For this purpose, a certificate costing $1000 per year is over-kill and places the technology out of the reach of hobbyists and small-scale implementors.
If I am running an e-business site, my users might be interested to know that their credit card details are being sent to a company that has submitted it's legal status to the scrutiny of a CA. For somebody carrying out online monetary transactions, $1000 is probably a good investment.
The irony of the situation is that a web site that uses an SSL certificate based on a trusted CA is unlikely to provoke the user to review the validity of the certificate or site because it takes effort to review the security profile of the site. A site that uses a non-trusted certificate however, is immediately brought to the user's attention due to the prompt that appears.
It could be argued that a site that makes it quite clear that the user is being redirected to a page that will require them to accept a non-trusted certificate is no more harmful to the user experience than the sites that make you agree to pages of legal text before continuing. The user has the option of installing the certificate for future use. While not ideal, this approach gives over the wire encryption and raises awareness in end users.
In reply to Re: (OT) SSL Certificates: Self-Signing and Alternative Solutions
by inman
in thread (OT) SSL Certificates: Self-Signing and Alternative Solutions
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |