SSL certs are an untrusty ransom based on the tyranny of bad UI.
FF, and chrome and IE are totally ok with login/pass passing in clear over http, which is wrong.
But when you don't have a certificate signed with by one of the root certificate in your wallet it screams to death. (Which is totally in hierarchy of risk WTF).
Your wallet contains organization that should have been shut down according to the rules of SSL: we normally cannot trust any authority that even once or for good reasons emitted a joker certificate to make a MITM (or helped people doing so).
https://news.ycombinator.com/item?id=2138565
In your web browser default certificates list you find microsoft. in 2007, they put in IE for the Ben Ali gvt a special certificate to be able to do a MITM on the tunisian opponents. (ofc those using ff would see a warning).
MS did not emit the certificate, but for them who can issue SSL certificates that's clear not right to provide a SSL joker root certificate in its web browser used for MITM (without your nice little icon you care about to get red).
MS is still in my list of trustful SSL certificates. How can you trust them. If they could betray once for a few money (tunisia had less money as a state than MS, google, whatever country) they have incentive to redo it again.
Knowing MS has gone through the death penalty, other SSL issuers can now have an incentive to do the same.
SSL central certificate are NOT to be trusted anymore. We have proofed once a company in our "trustfull" wallets betrayed without consequence. So betraying is OK.
My recommandations:
- Ever dane (but that is a combinat) or the new technology google is secretly working on (maybe mozilla too),
- set a cookie on http landing page ssl_cert_on=bool
- if not present redirect to http://www/my_cert
- give a link to your self signed certificate on your domain so that your user add it its wallet securely (must be a js or a MIME extension to set so that IE/FF/google open at the "add this certificate to your wallet page"
- correct the world and FF/Chrome/IE mess by providing a way for the user to read the mess of the X509 certificate (for which domain this cert is valid, the fingerprint)
- correct the world another time by explaining to your customers it is normal they should not trust this special web page or this certificate and give them links for them to check your allegation, (knowledge and tools)
- provide another secured way to access your cert fingerprint (DNS SEC TXT record for instance, snail mails, flying carrier, PGP mails...)
- and make a rant on how much security UI/UX is so much sucking and poorly thought that it is the major security hole nowadays and how all security guru giving us advice on how to code to "secure" code should be regarded as cons that should be imprisoned.
Then, now that you corrected the whole "what gone wrong with central authoriy"'s mess, you can very easily make your free self signed cert secure certificates and sleep on your 2 ears because your customers are now understanding security the right way.
If you understood nothing of the text above, just buy a normal certificate to whoever you want. You will be "safe" according to the green icon, and this is all that matters in the real world.
FF, and chrome and IE are totally ok with login/pass passing in clear over http, which is wrong. But when you don't have a certificate signed with by one of the root certificate in your wallet it screams to death. (Which is totally in hierarchy of risk WTF).
Your wallet contains organization that should have been shut down according to the rules of SSL: we normally cannot trust any authority that even once or for good reasons emitted a joker certificate to make a MITM (or helped people doing so). https://news.ycombinator.com/item?id=2138565
In your web browser default certificates list you find microsoft. in 2007, they put in IE for the Ben Ali gvt a special certificate to be able to do a MITM on the tunisian opponents. (ofc those using ff would see a warning).
MS did not emit the certificate, but for them who can issue SSL certificates that's clear not right to provide a SSL joker root certificate in its web browser used for MITM (without your nice little icon you care about to get red).
MS is still in my list of trustful SSL certificates. How can you trust them. If they could betray once for a few money (tunisia had less money as a state than MS, google, whatever country) they have incentive to redo it again.
Knowing MS has gone through the death penalty, other SSL issuers can now have an incentive to do the same.
SSL central certificate are NOT to be trusted anymore. We have proofed once a company in our "trustfull" wallets betrayed without consequence. So betraying is OK.
My recommandations: - Ever dane (but that is a combinat) or the new technology google is secretly working on (maybe mozilla too), - set a cookie on http landing page ssl_cert_on=bool - if not present redirect to http://www/my_cert - give a link to your self signed certificate on your domain so that your user add it its wallet securely (must be a js or a MIME extension to set so that IE/FF/google open at the "add this certificate to your wallet page" - correct the world and FF/Chrome/IE mess by providing a way for the user to read the mess of the X509 certificate (for which domain this cert is valid, the fingerprint) - correct the world another time by explaining to your customers it is normal they should not trust this special web page or this certificate and give them links for them to check your allegation, (knowledge and tools) - provide another secured way to access your cert fingerprint (DNS SEC TXT record for instance, snail mails, flying carrier, PGP mails...) - and make a rant on how much security UI/UX is so much sucking and poorly thought that it is the major security hole nowadays and how all security guru giving us advice on how to code to "secure" code should be regarded as cons that should be imprisoned.
Then, now that you corrected the whole "what gone wrong with central authoriy"'s mess, you can very easily make your free self signed cert secure certificates and sleep on your 2 ears because your customers are now understanding security the right way.
If you understood nothing of the text above, just buy a normal certificate to whoever you want. You will be "safe" according to the green icon, and this is all that matters in the real world.