Until now, if you had a private website which required a login or collected private data (for example a small online shop), you could create a self-signed certificate or a certificate signed by http://www.cacert.org/ for free. There would be a somewhat confusing error message in all browsers, but that wasn’t a big issue.
Now, let’s see what they did in Firefox 3 (Beta 1):
The website will not be displayed and there’s only a small link at the bottom (which most people won’t see). Clicking this unfriendly link requires you to confirm two additional questions and maybe do additional settings. In short, most people won’t be able to access your site at all.
So what are possible consequences of this change for private websites?
- They will stop using SSL. That’s the easiest way. Who cares about encryption? The user won’t notice anyway.
- They will use a certificate from http://cert.startcom.org/, which is the only certificate issuer I know which should not display this nasty error message. Unfortunately, if you want wildcards (i.e. make the certificate valid for all your subdomains), you still need to pay for a “Class 2″ certificate (http://www.startssl.com/), and most providers don’t give you enough IP addresses, but that’s another issue. So there’s no free solution for wildcard domains.
What could be done to avoid this problem?
- In my opinion, encryption and trust should be separated. It is more secure to visit a website which has encryption enabled than any other website without encryption. Ideally, every website would be transferred encrypted. If someone wants trust, i.e. allow people to see that your server is really your server, then he or she could buy a certificate. In the end, you can’t really trust any website (what, if the server has been compromised?), but encryption is always a good thing (your provider or your network administrator can’t read the data).
- CAcert should be included in mainstream browsers, which unfortunately doesn’t seem to be the case, not even in Firefox.
- There should be more free certificate issuers. You shouldn’t have to pay for encryption (or trust).
What’s your opinion about this topic?