A6H8PY7Y496C All things being equal, free is my favorite price range!
The caveat I would add is that things are almost never equal when we talk about free.
It might be tempting to use free “self-signed” certificates to implement SSL on your web site, unless you fully understand what you are not getting with it. We all know about what happens when we are penny wise!
When a user connects to an SSL site a message is sent with the certificate information required to setup a secured connection. It must include the name of the certificate "signer" which is either:
the creator of the certificate (self-signed) or
a third party called a Certificate Authority.
There are scams where hackers trick users into thinking they are connected to one site and they are actually communicating with another. This is a so called “man in the middle” scam where a hacker gets in between the communication between a browser and a web site.
Self-signed certificates leave your users vulnerable to these predators. It adds about as much value as “co-signing” a loan to yourself! It does nothing to avoid users providing personal and financial information to criminals engaged in fraud.
A Certificate Authority (CA) provides assurances to the browser that the site it intends to connect to is in fact that site. Only with a CA-signed certificate does the browser know that the key it receives to encrypt messages is from the actual owner of the site.
Because of this, most browsers will display a warning message that a site with an unsigned certificate may be a danger. The user can bypass the message, but it does not leave the user with a warm and fuzzy feeling about the site.
And the warning message is correct. If your web site has been hacked by a scammer your users are in peril if they proceed.
Let’s be crystal clear about this.
You NEVER want to use a self-signed certificate on a public internet site.
If you need secured communication for a “customer facing” web site, such as an e-Commerce site. You would be exposing your customers and your business reputation to unwarranted risk. Every time your customers visit your site their browser will remind them that you are not a trustworthy operation.
Free could turn out to be very costly, indeed!
So what about internal intranet sites? Do self-signed certificates ever make sense?
Yes, but you also need to be cautious before using them on intranet sites.
More and more employees are accessing intranet sites remotely though the internet, from outside the company firewall. That may create opportunities for the hackers if you do not use a signed certificate.
Furthermore, users will also be disturbed by the browser warnings. The risks aside, it does not create a professional appearance.
It is probably best to limit the use of self-signed certificates to test labs where the data entered is not real and the testers can be warned to ignore the browser messages.
The caveat I would add is that things are almost never equal when we talk about free.
It might be tempting to use free “self-signed” certificates to implement SSL on your web site, unless you fully understand what you are not getting with it. We all know about what happens when we are penny wise!
When a user connects to an SSL site a message is sent with the certificate information required to setup a secured connection. It must include the name of the certificate "signer" which is either:
the creator of the certificate (self-signed) or
a third party called a Certificate Authority.
There are scams where hackers trick users into thinking they are connected to one site and they are actually communicating with another. This is a so called “man in the middle” scam where a hacker gets in between the communication between a browser and a web site.
Self-signed certificates leave your users vulnerable to these predators. It adds about as much value as “co-signing” a loan to yourself! It does nothing to avoid users providing personal and financial information to criminals engaged in fraud.
A Certificate Authority (CA) provides assurances to the browser that the site it intends to connect to is in fact that site. Only with a CA-signed certificate does the browser know that the key it receives to encrypt messages is from the actual owner of the site.
Because of this, most browsers will display a warning message that a site with an unsigned certificate may be a danger. The user can bypass the message, but it does not leave the user with a warm and fuzzy feeling about the site.
And the warning message is correct. If your web site has been hacked by a scammer your users are in peril if they proceed.
Let’s be crystal clear about this.
You NEVER want to use a self-signed certificate on a public internet site.
If you need secured communication for a “customer facing” web site, such as an e-Commerce site. You would be exposing your customers and your business reputation to unwarranted risk. Every time your customers visit your site their browser will remind them that you are not a trustworthy operation.
Free could turn out to be very costly, indeed!
So what about internal intranet sites? Do self-signed certificates ever make sense?
Yes, but you also need to be cautious before using them on intranet sites.
More and more employees are accessing intranet sites remotely though the internet, from outside the company firewall. That may create opportunities for the hackers if you do not use a signed certificate.
Furthermore, users will also be disturbed by the browser warnings. The risks aside, it does not create a professional appearance.
It is probably best to limit the use of self-signed certificates to test labs where the data entered is not real and the testers can be warned to ignore the browser messages.