I provide support for a couple of web servers and have recently been asked to add SSL support to a couple of pages. Usually whenever you are asking a user to provide a username and password it's common sense to use SSL to encrypt their credentials. You never know who's listening to the traffic in order to capture those passwords from unsuspecting users.
<tangent> I am always surprised at how many web sites out there ask you to login using a non-secure web page – how crazy is that? Imagine sitting at a coffee shop where anyone can be listening to your traffic. Never ever provide your username and password to a website that doesn't have an encrypted web page. </tangent>
To configure a website to support encrypted web pages it is necessary to purchase a certificate from one of the many certificate providers, such as VeriSign and GoDaddy. Well I can say that I was shocked at the cost of certificates. I understand that a Certificate Authority is insuring the encryption of the communication but come on, it seems like a joke that they can charge so much money for this service. First of all, once the infrastructure is in place and the startup costs have been recouped then the revenue they make is almost all profit. Second, when is the last time someone cracked a SSL connection in order to steal information? The hacker would be more likely to go after a retailers site through more common vulnerabilities.
So can a small company provide encrypted web pages without paying out the nose for certificates? Well, two options I am familiar with is to create a self signed certificate on the webserver or request a certificate from StartCom.org. A selfsigned certificate can be created using the Microsoft IIS Resource Kit tool called (appropriately) SelfSSL.exe (by the way this is a free download). This tool is as easy as it can get, including a set of defaults that will help even the most novice administrator get up and running. StartCom can also provide you with a certificate that includes the extended features that come with using an actual Certificate Authority, such as Certificate Revocation Checking and Certificate Chaining.
Both methods of free certificates will have an unfortunate side effect of your users being presented with an ugly warning message in their browser. You may have run into this message whenever connecting to a website where the certificate has expired or didn't exactly match the name of the web address you entered in the address bar. Even though this is a serious flaw in the plan it is still better than the alternatives.
CSS-Tricks
Janko at Warp Speed
Kim Cameron's Identity Weblog
Pluralsight Blogs
Mon, Oct 29, 2007
Security, Technology