free encryption certificates and encrypting elgg sites

i have read some of the threads here where questions have been raised about the wisest approach for using encryption and certificates with elgg. the conclusion is that encryption is necessary for logins as a minimum. 

since, like domain names, the 'trust' industry has already been hijacked by ones i don't trust; who offer to sell certificates of trust and the browsers offer alerts that your site is not 'trusted' if you use a 'self generated' certificate.. does anyone here have any ideas i may not be aware of, of how to run a free certificate without triggering the browser 'UNSAFE SITE' warnings?

i know there are one or two groups that claim to offer free certificates.. without naming names, i attempted to begin setting up a certificate with them and one group only offered the service if you are within the usa border and the other (who i spoked to by phone) seemed highly untrustworthy themselves!

i really don't see how paying a group that you have never met to issue you with their brand of certificate is any type of guarantee of security at all. with this system in place, sites that attempt to activate encryption for free, even with encryption certificates that are of greater ability than the 'paid for' ones, will be identified as being 'threats'.. when in reality they are safer.. i am wondering if this is actually part of the plot to de-rail encryption algorithms and thus to prevent real encryption being used, while earning large amounts of cash.

  • i might just buy from arvixe a ssl they use rapid ssl it seems quite good though is it better than startssl?

  • personally i am not aware of any value that is added by paying for a certificate from anyone as compared to a free option.
    as far as i am aware, as i have said many times here already - the best encryption is commonly found through self configured certificates since the commercial ones usually use non-strong encryptions while claming they are strong.
    the only benefit of paying for a certificate is that of 'trust' - and why would you trust a corporate group who sells you non-strong certificates that you can generate for free? i do not!

  • lol you got me there, but that warning is not good can you switch to startssl as i went to your site using chrome and got a warning.

    Switch to startssl i have researched and they say they are trusted by all browsers right now so would love to see what your feedback is, i will test it for you aswell let you know i am sure chrome will not come up as untrusted cert using chrome browser.


    RE: Warning

    The site's security certificate is not trusted!
    You attempted to reach, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications.
    You should not proceed, especially if you have never seen this warning before for this site
  • i think the only way you could have seen that warning is if you either logged in to my site or you reached the site using the prefix of https://

    currently my site only uses https during the login and i do not give out links to any urls beginning with https://
    so in most cases no-one would see the warning page.. they may see it when they sign-in in some cases.. i agree that this is not a great situation.. what operating system did you use? and chrome version?
    my version of chromium (gnu/linux/debian/mint) is fine here and recognises the certificate.. 

    i may try out startssl at some point anyway, yes.

  • ah i see, xp latest chrome , switch to startssl from the reviews it is a much better service and more trusted, let me know please and ask me i will test for you too, i cant use a cert that gives warnings, as people who have no clue will be like omg its a virus its gonna kill mee! lol you know what i mean, not everyone knows about the internet like most elgg users etc : )

  • i just began the process of creating a startssl certificate here as a test and remembered why i didn't go through with it when i looked at it months before. the issue for me is a general one relating to 'legal names'.. i spoke with their agent about this and he basically laughed at me while being unable to answer my questions (while i was sat in front of a dictionary used in law to be certain i used the right terms).. this is because i use a name which is not on any government documents and while there is (to my knowledge) nothing in any alleged law where i am that says i need to do something in particular for a name to be a 'legal name' - some of us are not aware of the situation and make unnecessary requests such as that the name is 'the one on the birth certificate' etc.. 
    this is beyond the scope of this thread really.. but that is the reason i didn't use them initially anyway.

    i will see what they do this time.

  • right ok, i have installed a startssl tracked cert now..
    site is labelled as A and fully trusted:


    site is now fully https.

    now i need to find out why some items are being served non https.. and also tweak the settings to make it optimally secure.

  • ah the elgg en language file is being loaded over http instead of https for some reason..