free encryption certificates and encrypting elgg sites

i have read some of the threads here where questions have been raised about the wisest approach for using encryption and certificates with elgg. the conclusion is that encryption is necessary for logins as a minimum. 

since, like domain names, the 'trust' industry has already been hijacked by ones i don't trust; who offer to sell certificates of trust and the browsers offer alerts that your site is not 'trusted' if you use a 'self generated' certificate.. does anyone here have any ideas i may not be aware of, of how to run a free certificate without triggering the browser 'UNSAFE SITE' warnings?

i know there are one or two groups that claim to offer free certificates.. without naming names, i attempted to begin setting up a certificate with them and one group only offered the service if you are within the usa border and the other (who i spoked to by phone) seemed highly untrustworthy themselves!

i really don't see how paying a group that you have never met to issue you with their brand of certificate is any type of guarantee of security at all. with this system in place, sites that attempt to activate encryption for free, even with encryption certificates that are of greater ability than the 'paid for' ones, will be identified as being 'threats'.. when in reality they are safer.. i am wondering if this is actually part of the plot to de-rail encryption algorithms and thus to prevent real encryption being used, while earning large amounts of cash.

  • you need a static ip for your domain to setup a free certificate : ) if you get a static ip you can get it free costs around 20 - 30 dollars a year then the cost of a paid ssl cert or use your own with a free service which is possible

  • do you have experience of a free service for certificates which is effective?

  • for anyone who is also wondering about this, i found this helpful page about self-signing certificates after some searching:

    http://www.clintharris.net/2009/self-signed-certificates/

    i have created a self signed certificate and installed the certificate on my own pc and identified my site as a certificate authority - which means that i can login via an encrypted connection.

    for anyone else to login via ssl using this certificate will require them to receive the certificate file directly somehow, whether through usb key/cd or some type of safe online transfer.

    this might sound like an unworkable solution, yet do you REALLY know how secure your encrypted connections are with other sites when you use them? mostly, no.. you just 'trust' the software..
    so the alternative is to use real 'person to person' connection and trust to share the certificates offline - or to find a way to do it online.. 
    i continue to explore - this is about more than just saving $30 per year.

  • does your certificate say not trusted etc when browsing to your site with google chrome for example? are you using a dedicated ip?

  • i am using a dedicated IP yes. you could use the no-ip service to effectively convert a dynamic IP to a static IP for free if you need to.

    if you read the page i linked you will see that the 'big red warning pages' are shown when connecting via ssl with a browser that does not have a trusted certificate for that site installed. if you look in your browser's options you will find a list of the certificates you have 'gathered' or that came with the browser when you installed it. to stop the big red warnings you need to get your site's certificate in that list somehow - that is all you are paying for when you pay for an ssl certificate.

    as far as i am aware, if i share my certificate via a trusted site, such as ubuntu-one's file sharing service - i can simply give the link to the certificate to my site's users and they can install it in their browser and they will then be able to login without the big red warnings appearing.
    this way ensures that the 'trust' is not broken (although i do not trust any of these corporations at all presently - many are conditioned to do so blindly).

    e.g. you can download the certificate for my site here: https://ubuntuone.com/74KISY6vvkaBrS6TPm84lq

    and then install that in your browser in 4 clicks or so.. and that will be that.
    so yes, i can view my site via https without the red warnings now.. 
    you just need to engage your site's users a little more - which is good for us all as we won't all be so ignorant about what encryption is and how to use it effectively (if that is even possible!).

  • i see nice info at this time i have spent to much money on hosting packages lol and need to upgrade another host package i have at wholesale prices but still its money, so when i get a dedicated ip i may do this to save 30 dollars for a ssl cert for 1 year thanks for the info again i will use this page for reference add any more info eg: for me, for dummies lol basic instructions you feel need to be added incase this all sounds to much though you have covered just about everything here :) basically get a dedicated ip and the rest is free is what your saying?

  • i think you do not necessarily even need a dedicated IP - however, i cannot confirm that from experience as i have not run the no-ip software for a server connection - only for a home connection.

    i am learning here too, however, yes.. as far as i am aware 'the rest is free' - the only downside is that your site's users will need to take an extra step that they would not do with many corporate sites that just pay another corporation to 'say they're ok, digitally', so to speak. however, i 'think' that overall this is actually a more secure option than using the corporate 'trust' approach since you are dealing with real members of your community rather than a faceless corporate entity.
    i am open to be shown what i am missing here. ;)

  • i see : ) for me i would need a dedicated ip and you can get free certificates form lots of places though i may just buy 1 from my own hosting company as wholesale price to save the hassle though it is something i have looked into before and tried it is easy to do all you need is a dedicated ip and the rest is simple depends on yourself 

  • so far i have not found a source of free certificates that equals or improves on making your own

  • if you have a dedicated ip a few doors are opened for you : )

    comodo will give you 3 months for free  

     https://secure.instantssl.com/products/frontpage?area=ssl

     

    also 

    https://www.startssl.com/?app=1