free encryption certificates and encrypting elgg sites

i have read some of the threads here where questions have been raised about the wisest approach for using encryption and certificates with elgg. the conclusion is that encryption is necessary for logins as a minimum. 

since, like domain names, the 'trust' industry has already been hijacked by ones i don't trust; who offer to sell certificates of trust and the browsers offer alerts that your site is not 'trusted' if you use a 'self generated' certificate.. does anyone here have any ideas i may not be aware of, of how to run a free certificate without triggering the browser 'UNSAFE SITE' warnings?

i know there are one or two groups that claim to offer free certificates.. without naming names, i attempted to begin setting up a certificate with them and one group only offered the service if you are within the usa border and the other (who i spoked to by phone) seemed highly untrustworthy themselves!

i really don't see how paying a group that you have never met to issue you with their brand of certificate is any type of guarantee of security at all. with this system in place, sites that attempt to activate encryption for free, even with encryption certificates that are of greater ability than the 'paid for' ones, will be identified as being 'threats'.. when in reality they are safer.. i am wondering if this is actually part of the plot to de-rail encryption algorithms and thus to prevent real encryption being used, while earning large amounts of cash.

  • i used the comodo service for 3 months free, yes.. though obviously that is not sufficient.

    the startssl.com approach is also flawed in that they only provide a low level of encryption, they limit the usefulness of the free certificate and as i recall, when i spoke with them at their office in isreal, the one i spoke with their was unable to demonstrate sufficient knowledge of law/legalities to be able to be classed by me as 'worthy of trust with regards the security of my site'.

    this is a bit like going to court and using a lawyer.. a lawyer might appear on the surface to be the wisest choice but in reality you are standing up and saying 'i cannot think for myself, i need someone to control my life'.

  • oh i see you have done your research ^_^ let me know if you find anything better please or just tell me what you posted is the best available right now

  • sure ok, so far this is the best approach i know of... for freeness.
    i would add to the walkthrough that i posted, a way to use different, more secure encryption methods.. though presently i have not researched deeply into those.
    the only downside here is that the users need to learn about certificates and actively download and install one. you could advertise that as a feature and show that it is a benefit, not a pain. ;)

  • nice good info ura soul : ) i actually sell ssl certificates ^_^  my prices start from 25.95 USD to 570.00 USD and i am quite sure you need a dedicated ip too, so in all it would cost 25 dollars to 30 dollars a year for a dedicated ip and 25 for ssl so basically 50 dollars a year is the price i think

     

  • ok, so you know first hand all the hard work that goes on in the certificate factories.. lol.. ;)
    from what i have seen, to get the 'green bar' in some browsers requires more than the lowest price level of certificate. unless you are bothered about that, then those with the lowest price could be used.
    though from what i have learned about the algorithms used in most certificates, they only protect you from non-specialist and non-adventurous 'data thiefs'.. especially since the encryption processes have been crippled 'by design' by the various corporations.

     

  • i just wrote a first version of a page for my site that explains the situation here.

    if anyone has any comment or sees any errors i am making in this approach, then i would appreciate the assistance!

  • here's a video explaining how the entire ssl system has already been defeated.
    http://www.youtube.com/watch?v=ibF36Yyeehw

  • i updated the page on my site to include the previous video. (http://www.infiniteeureka.com/browser-security)

    i am thinking now that all connections to the entire site need to be encrypted.

    except, i notice that to do that REQUIRES that you use a corporate sanctioned certificate to prevent the big warning notices which will put off a lot of less well informed visitors.

    so the 'trust' system reveals itself yet again to be little more than a cash cow and marketing facade.

  • more on the certificate issue: http://www.youtube.com/watch?v=pDmj_xe7EIQ

    this one includes pointing to the low standards of comodo