'Twas brillig, and Michael A. Peters at 16/02/09 00:10 did gyre and gimble:
Colin Guthrie wrote:
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble:
Please enlighten me why it is so expensive? Is it maybe just the hassle of
setting it up?

The whole thing is about trust. Getting a certificate is nothing if the system is not backed up by a trust system. If a CA was setup that gave out certificates willy nilly to all and sundry, then this element of trust is lost.

Cheap CA's do exist. They have crappy web sites and send you all kinds of junk mail etc. if you use them - but they do exist.

I might end up just paying godaddy - I think they charge $12.00 / year, but since I already register through them, they already have my address etc.

Yeah the cheap CA's are IMO actually a problem.

I (personally) think we should have a new system for this scenario:

http:// = totally insecure
https:// = secure and to a reasonable degree of trust (e.g. no $12.00 certs!)
httpus:// = secure but no aspect of trust.

httpus:// would support SSL in exactly the same way as https but the UA would simply not display the URL any differently to a standard http connection. This would give responsible developers the ability to provide SSL services where they only really care about the pipe and not the trust aspect.

The problem with the cheap certs is that people do not see much difference to the expensive ones and this leads to the possibility of being hijacked. The weakest link is always the end user not knowing any better. The High Validation certs used by big companies at least show up differently in FF now but if you were to replace it with a hijacked non HV cert, there is still a good chance most users would still use it.

Sadly this isn't going to work without browser support tho' and that's very unlikely to happen at all.



Colin Guthrie

Day Job:
  Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
  Mandriva Linux Contributor [http://www.mandriva.com/]
  PulseAudio Hacker [http://www.pulseaudio.org/]
  Trac Hacker [http://trac.edgewall.org/]

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to