Certificates: To Sign or Not to Self-Sign

Certificates: To Sign or Not to Self-Sign

Last week’s discussion of SSL/TLS brought up the subject of encryption. Since encryption is a relatively simple concept (pertaining to a complex process) I will move on to a related concept which is not as commonly understood. Encryption depends upon the use of certificates.

As with most certificates, website security certificates indicate that things are what they claim to be. When I visit a website, my computer asks the website for a certificate. The primary purpose for the certificate is for my computer to “shake hands” with the website and decide upon an encryption key that only my computer and the website can identify and use. In this way, the certificate allows my information to be transmitted to the website by an encrypted connection. This is very important but there is another reason my computer asks for a certificate from the website I’m visiting.

The importance of an encrypted connection can’t be overstated in light of the dangers of identity theft and internet fraud. However, my computer also wants to know that the website I’m visiting is what is claims it is. For instance, a website masquerading as a charity site might be able to receive funds from donors fraudulently if the site is not really owned by the charity it claims to represent. My computer is asking for a signed certificate, rather than a certificate that was created and self-signed by the owner of the website.

Websites that are well known and trusted by their visitors, particularly those which don’t request financial information, are likely to create and self-sign a certificate. Self-signing saves them money and still provides for encryption. However, those sites which transfer financial information should pay a Certificate Authority (CA) to verify that the website is exactly what it claims to be -adding another level of security for the careful online shopper to trust.

In summary, pay attention to the warning messages your internet browser provides when you are entering a website. If you know the website well and trust them with the data you will provide, you can probably ignore the warning regarding the certificate being from an unknown source or is self-signed. However, if you plan to provide any financial or other sensitive information, be sure that the certificate is signed. In any case, you might want to refrain from offering any information at all if there is no certificate, since you will be communicating over an un-encrypted connection. You might choose to steer clear of such websites altogether.


Speak Your Mind