'Twas brillig, and Michael A. Peters at 16/02/09 00:10 did gyre and gimble:
Colin Guthrie wrote:
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble:
Please enlighten me why it is so expensive? Is it maybe just the
hassle of
setting it up?
The whole thing is about trust. Getting a certificate is nothing if
the system is not backed up by a trust system. If a CA was setup that
gave out certificates willy nilly to all and sundry, then this element
of trust is lost.
Cheap CA's do exist. They have crappy web sites and send you all kinds
of junk mail etc. if you use them - but they do exist.
I might end up just paying godaddy - I think they charge $12.00 / year,
but since I already register through them, they already have my address
etc.
Yeah the cheap CA's are IMO actually a problem.
I (personally) think we should have a new system for this scenario:
http:// = totally insecure
https:// = secure and to a reasonable degree of trust (e.g. no $12.00
certs!)
httpus:// = secure but no aspect of trust.
httpus:// would support SSL in exactly the same way as https but the UA
would simply not display the URL any differently to a standard http
connection. This would give responsible developers the ability to
provide SSL services where they only really care about the pipe and not
the trust aspect.
The problem with the cheap certs is that people do not see much
difference to the expensive ones and this leads to the possibility of
being hijacked. The weakest link is always the end user not knowing any
better. The High Validation certs used by big companies at least show up
differently in FF now but if you were to replace it with a hijacked non
HV cert, there is still a good chance most users would still use it.
Sadly this isn't going to work without browser support tho' and that's
very unlikely to happen at all.
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
Mandriva Linux Contributor [http://www.mandriva.com/]
PulseAudio Hacker [http://www.pulseaudio.org/]
Trac Hacker [http://trac.edgewall.org/]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
