02-07-2016, 12:17 PM
(01-22-2016, 05:55 PM)Flippity Wrote:Could be. I think the issue is that obtaining a certificate that will automatically be accepted by most web browsers costs money. To get one, you normally have to verify your identity with the cert issuing authority. I seriously doubt someone running an IOP would wish to hand out their real ID etc. Even if they bought one, the issuer could revoke it once they were aware an IOP was using it. So for those reasons I would expect websites in that line of business to sign their own certs. These would check out cryptographically and secure your connection. But they wouldn't be automatically recognised by your web browser so that would generate a warning.(01-20-2016, 06:19 PM)barq Wrote: I wish more used https as well. However, if they bought a SSL certificate most browsers would automatically recognise then it could easily be revoked. If they issued a self-signed cert then customers would get a warning about the site being unsafe until they set a security exemption in their browser. From a technical perspective, neither of these is a show-stopper, but I can imagine it putting off customers. If Chrome/Firefox flashes up a warning about it not being safe to proceed, what percentage of customers will go somewhere else? I'm guessing a lot!
As always, great advice and excellent points you made regarding the SSL certs. That might explain why I was warned - cert expired?
There is a new project called Let's Encrypt, that will be offering easy SSL installation for websites and free certs. It is backed by a lot of big internet companies and privacy advocates like EFF. It will make the technical process of installing SSL much easier for websites and lower the hassle of getting a cert than will automatically work in browsers. So, https is going to become much more normal.

