Today I was internet-famous for slightly more than three minutes; just long enough for Richard Cambell and Carl Franklin to read and reply to a comment on an episode of the .Net Rocks Podcast.
Back in January, I left a comment on their website, regarding StartSSL and Let’s Encrypt, two providers of SSL certificates they’d mentioned during the show. Today, show 1287 came out, covering the topic of “InfoSec for Developers” and they used my comment (right about the 5:40 mark) as the segue to the conversation with their guest, security professional Kim Carter. (Interestingly, he turns out to be using security certificates from one of the sources I’d commented on.)
So if you don’t know that’s all about, an “SSL certificate” is one of the things you need in order to setup a secure website using HTTPS. This is part of what triggers the lock icon to appear when you’re viewing a secure web site. (You do look for that when buying things online, right?)
Richard made a valid point that a paid-for certificate really doesn’t get a whole lot more validation than what the free ones get, so if you’re able to take advantage of the free ones, there’s not really a lot of incentive not to. (it does leave the question of what extra value you get with a paid SSL certificate.)
The self-signed certificates mentioned in my question don’t have anyone vouching for their authenticity, though it’s not clear that the free or even the paid for certificates have anyone vouching for them either. There is another kind of certificate though, the “Extended Validation” certificate (which is what your bank should be using) which does involve some in-depth checking of identity.
One thing that does distinguish third-party (i.e. “real”) certificates from the self-signed ones is that if something goes wrong (e.g. the private key is stolen), a third-party certificate can be revoked. Since the webmaster is the only one vouching for a self-signed certificate, there’s no way to tell whether the person saying the certificate is valid is who they say they are. The third party certificates come from a source which has been validated, and there’s a secure chain of connections for verifying that the certificate can be trusted.