I’ll be adding lots of posts over the next few days, so please ignore the mess - the dates on them are unlikely to be accurate and I can’t be bothered editing each.

From posts like this to the ensuing discussion on HN here and this thread on reddit, it does seem that the topic of SSL certificates is still a grey area, even for the usually savvy.

The debate began when Mozilla’s Firefox v3 was released with seemingly-sterner SSL certificate warning messages. No longer could users easily click the ‘I don’t care’ button for warnings about self-signed (and other ‘bad’) certificates. Johnathan Nightingale (of Mozilla) posted a Q&A on the issue here, explaining very well why Firefox behaves this way.

Firefox isn’t alone in this - IE7 no longer has a simple click-away error for certificate warnings, and I’m sure Opera shows something similar.

The upshot seemed to be that many users were unhappy with the warnings because it meant self-signed (read: free) certificates wouldn’t work for their users without several clicks to remove a nasty warning page.

Rightfully so.
The idea of representing self-signed certificates without any warnings is just ridiculous. A suggestion was to have the address bar appear normal, with some kind of ‘this site cannot be authenticated’ banner. Why not have a banner saying the site uses images? The site uses gzip to compress the HTTP data? The site is based in the USA? All these things have about the same bearing on the security of the site as an un-authenticated SSL certificate.

Repeat after me:
Encryption without identification is bad.
Few people - technically minded people, not average users - even realise that SSL provides both encryption AND a level of identity assurance.

Encrypting information is only useful if you know who you’re sending it to - otherwise there’s little point encrypting in the first place. And if you’re going to use SSL - do it right, and get a publicly-signed certificate.
‘I just want encryption!’ the cheapskates reply. Pony up the $20 for a cheap domain-validated certificate and be done with it. If the idea of encryption is important to you, do it properly.¹ Repeat after me: encryption without identification is worthless.

• Self-signed certificates are fine for testing, but not in the real world. Just as you can use HOSTS file entries or your own DNS for testing, but have to buy a domain to get things working ‘on the internet’.
• Self-signed certificates in real-world use are worse than no certificate at all - they create a false sense of security, which is exactly why Firefox doesn’t let you click away the SSL error too easily.
• Certificates needn’t be expensive. Verisign’s certificate monopoly (supposedly) ended years ago - certs can be obtained from publicly-trusted roots for as little as $10-$30 if you hunt around.²

¹Sadly, the cheapest option isn’t often the best. The DV certs will work, but I don’t consider them ‘proper’.

²Those cheaper certificates are DV or domain-validated certificates. They’re bad for another reason, but they won’t (yet) cause browser errors. Another post on that sometime later.

I like it.

I tried Wordpress, self-hosted. Got sick of updating the thing and it’s insecure mess of PHP. I tried Wordpress.com, but didn’t like paying so much just to customise my own site. Not to mention it seemed incredibly laggy to me.

An hour of template hacking, and I’m setup on Tumblr. It’s awesome. Now someone come up with a self-hosted version, and I’ll love you forever.

If you must:

Email: nick [at-thingy] naftech [this is where the dot goes] net

Me? I’m a nerd.