free encryption certificates and encrypting elgg sites

i have read some of the threads here where questions have been raised about the wisest approach for using encryption and certificates with elgg. the conclusion is that encryption is necessary for logins as a minimum. 

since, like domain names, the 'trust' industry has already been hijacked by ones i don't trust; who offer to sell certificates of trust and the browsers offer alerts that your site is not 'trusted' if you use a 'self generated' certificate.. does anyone here have any ideas i may not be aware of, of how to run a free certificate without triggering the browser 'UNSAFE SITE' warnings?

i know there are one or two groups that claim to offer free certificates.. without naming names, i attempted to begin setting up a certificate with them and one group only offered the service if you are within the usa border and the other (who i spoked to by phone) seemed highly untrustworthy themselves!

i really don't see how paying a group that you have never met to issue you with their brand of certificate is any type of guarantee of security at all. with this system in place, sites that attempt to activate encryption for free, even with encryption certificates that are of greater ability than the 'paid for' ones, will be identified as being 'threats'.. when in reality they are safer.. i am wondering if this is actually part of the plot to de-rail encryption algorithms and thus to prevent real encryption being used, while earning large amounts of cash.

  • i am now paying 2 or 4 dollars a month monthly for a dedicated ip : ) using rapid ssl free 30 day trial then gonna buy a cert from my host 25 dollars a year i think it is would love free ssl need to work it out.

     

  • @ura That ssl validation tool is definitely the best one I've seen so far. 

     

  • yes, the ssllabs.com test is a very detailed one.. 
    i just ran their test against startssl.com out of interest to see what they are providing and using for their own site.
    while the 'grade' is 'A' - they do not support forward secrecy which is a considerable weakness in security at this point. in fact, their overall support of features is below standard.

    this is why i like CAcert, since you can create your own certificate, which in my opinion is how this should be done. so for now, we can either have strong encryption and browser messages claiming we are not trusted.. or we can have breakable encryption and have everyone see logos that say we are 'trusted'...
    noo... definitely no conspiracy there... move along, nothing for you to see here.

  • am gonna pay for 1 as soon as my rapid ssl trial runs out, saves the hassle lol

  • from what i have seen, there are many paid services which are no better than the free startssl service..

  • but is start ssl trusted by all browsers etc? i read online that they are not, do you use start ssl? as people who have no clue about the internet will not visit sites giving warnings : (

  • i have not used startssl, i have read through their site, spoken to one of their agents and analysed their own site using the ssl analysis tool i linked to.

    i have not seen that startssl is not trusted in all browsers.. i thought it was/is..
    the issue with them is that they are apparently not 'cutting edge' enough.. though i do not know the full details since i do not have a certificate via them.
    if you create your own certificate you will be in the best and most agile position with regards strong encryption..  plus that is free..
    the only issue is getting your certificate into the 'trusted' category..
    that is something i have not found a 100% answer for yet.
    presently my site uses CAcert.org.. which is free.. and recognised by some browsers.. but no mozilla yet.
    mozilla users can download the CAcert root certificate easily.

  • hmm very interesting soooo which is best startssl or CAcert ? ^_^ i will have to try start ssl and see how it goes as they say they are now trusted by all browsers well i think they said that

  • i would begin with startssl just to see how they are, yes.

    if they allow you to use stronger encryption than they themselves are using on their own site (which can be configured, for example, in nginx config files if you use nginx), then they may be worth using until a better solution arises.