Anyone administrator of a web server knows that SSL (Secure Sockey Layer) certificates are an evil reality in the world of the web. SSL certificates are required on our servers to provide secure communication between the server and the web browser. But to obtain a certificate, an administrator must often pay in excess of $100 per domain. Why is this so expensive?
Fundamentally, a certificate serves two purposes. First, and most obviously, it secures the data being transmitted between the two computers in the conversation. Secondly, it can be used to verify that a server using that certificate is the server to which the certificate was issued.
The first issue is easily done with any geneic certificate. An encryption tunnel between the browser and the server prevents evesdroppers from intercepting the information that is sent between them. A certificate authority is not necessary to create this tunnel. But for obtaining the identity of the certificate provider, you need to rely on a third party to verify the identity of that server. And that's where these certificate authorities are catching on and giving us admis the shaft.
But what can we do? If the technology is so simple, why are certificate authorities charging so much? I'm not sure why they're so expensive. There are some places you can get cheaper SSL certificates, like GoDaddy. But to use the big guys, you're going to pay through the nose.
So why aren't there any issuers of free SSL certificates? Well, there are.
StartCom and CAcert offer free SSL certificates that work exactly the same as any certificate that you would find on any other site. The trouble is that because your browser does not recognize them as a certificate authority, the certificates they issue are also not trusted by your browser. Their certificate has to come with your browser in order for your browser to trust them. Because this is no the case, your browser will always treat certificates authenticated against these services as suspect, unless you explicitly instruct your browser to trust them.
Microsoft and the Mozilla team would have you believe that these free issuing agencies cannot be trusted, but I can't imagine why. Both services have issued thousands of free certificates to users who can't or won't afford the big name certs. All of these certificates work as soon as you trust the provider, which is often as simple as visiting a web site and confirming the addition of a new certificate authority into the browser's certificate store.
Is there some kind of conspiracy against free authorities to keep the rates up for all the other providers? Maybe I'm paranoid, but that's how it sounds to me.
Until the browsers start to support these root certificates, though, I think I'm out of luck. I'll end up paying $29/year at GoDaddy for something that I barely use, just like everyone else.
