I’m building a site that has pages with confidential information, and because of that, I use SSL to encrypt the information. But when the user enters the SSL environment (https), an annoying window appears with a security alert saying: “The certificate was issued by an organization, which you haven’t selected as trustworthy” How do I get rid of this message?
Fortunately for both of us, I have recently been chatting with Christian Barmala, one of the smartest people I know in the public cryptography field, and he supplied me with a detailed answer to your question:
SSL does two things: First, it encrypts the communication between client and server, so there is no use in tapping the line and wait for the user to type in his secret password. That’s what you want to do and that’s what works already despite the “annoying message”. But how can the user know that the web site, which asks him to type in his secret password actually belongs to you and isn’t an imitation meant to seduce him to disclose his password?
That’s where the other purpose of SSL comes into play. The certificate, which is installed on the server in order to enable SSL is supposed to be signed by a neutral 3rd party who vouches for your identity. You probably did a “quick and dirty default” install and used a “self signed certificate”. Technically there’s nothing wrong with this, but from a logical perspective, it means you vouch for yourself, which obviously doesn’t add any trustworthiness to your site.
The 3rd party, you need, is called a “Certificate Authority” or short “CA”. Technically everyone can be a CA. Actually that’s what you did already, since you issued a certificate to yourself. Very often the IT department operates a corporate Intranet CA and issues certificates for all machines, which belong to the organization. Only a few organizations however are considered trustworthy beyond the limits of their own organization. They are listed in your Web browser.
In MSIE you find them under “Tools | Internet Options | Content | Certificates | Trusted Root Certificate Authorities”. These are commercial organizations. If you ask them for a certificate, they do a more or less extensive check of your identity and charge you more or less money. This expense is adequate for e-business, but way too much for a private or non-profit projects.
Different attempts have been made to create a “community CA”, which is operated by volunteers from the Open Source community and which issues certificates to private people and non-profit organizations for free. The issue however is that operating a CA and vouching for other people involves a significant responsibility, while Open Source projects usually shift the responsibility along with the source code to the user. There is some contradiction in having a volunteer working for free, but obliging him to do various things in due time and making him responsible for the results.
Currently the most promising project is cert.StartCom.org. They have a commercial part to pay their bills and the have a free part to serve the community. At the moment of writing this article, they are not listed in your browser and you get the “annoying window”, but they filed the documents, which are necessary to request listing.
Thanks, Christian, for your detailed answer!