How to set up HTTPS without paying anything anywhere? (But with no warnings from Firefox)
Solution 1
StartSSL provides free community-validated certificates, it may be of interest for you. The green badge is only obtained trough Extended Validation, which isn't free.
SSL is still secure against passive sniffing even with untrusted certificates.
If it is for your own usage, creating your own CA is fine. Knowledgeable people will not accept to include your homemade CA in their browser - it allows you to impersonate any SSL website to them as long as you are the man in the middle.
Solution 2
If you are interested in the global Internet community not getting the warning then you are pretty much out of luck. You need to have an SSL certificate from a certificate authority that Firefox knows about, otherwise people with get that prompt. You can get very inexpensive SSL certs from CA's that Firefox is already configured to trust out of the box.
If you have a smaller community of people that you are working with then you can generate your own SSL certificates and set up your own certificate authority to validate them. In doing this, though, you will have to have a way for all of your users add your certificate authority as a trusted CA in Firefox so that it will validate your certificate and give them the happy green badge you're striving for.
Solution 3
I work at a higher education institute in the United States. If you work for a qualifying institution (IANAL, so don't ask me), you can get a valid two-year cert from a Spanish certificate authority, ipsCA. If you follow that link, you can see it is in what I feel is intentionally tiny print. We have used it at our institution for some utility boxes, but I am not sure it went into production services AFAIK.
This is not to say it does not have its fair share of problems. We had to disable OCSP checking for some people in our group because the browser would suffer very long timeouts regarding this cert. We could not figure out why until much later, and then the timeouts stopped being an issue. The bug status does not make it clear whether this will be resolved in the future. But hey, free is free.
Edit: I cannot post more than one link because I am too inexperienced to handle myself on this site, according to the cutesy error message. Look up Firefox bug 529286 and OCSP on the Mozilla wiki to see what I am talking about.
Solution 4
If you sign up with StartCom, you can get a free SSL certificate which is accepted as valid by both Firefox and IE. It's not community validated, but validated by proving that you own the domain (or at least have access to the postmaster, webmaster or hostmaster accounts).
Related videos on Youtube
03 : 11
02 : 47
02 : 17
![Ylvis - The Fox (What Does The Fox Say?) [Official music video HD]](https://i.ytimg.com/vi/jofNR_WkoCE/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDCqewtvxdmDdG6likDn0UgMh8o-w)
03 : 45
10 : 14
Vi.
Updated on September 17, 2022Comments
-
Vi. over 1 year
Usual HTTPS setup requires certificate that is signed by some rich authority and requires [monthly] fees and periodic maintenance (to prevent expiring). This way Firefox displays happy green badge that certificate is OK and users knows that he connects to server at least managed by someone rich enough to afford a certificate.
Simple HTTPS setup is based on self-signed certificate (or some temporary "advertisment offer" of some minor certificate authority). While connecting to this server Firefox almost always shows Big Fat Warning that can frighten users and lower the usability of site. So the simplest way of solving it is just to ignore security and revert to plain unencrypted HTTP.
How to make the traffic from Firefox encrypted (at least from passive sniffing), but not so high security level that requires third parties? Something like in OpenSSH.
-
Vi. almost 14 years"very inexpensive" are usually more expensive than my VPS rent.
-
squillman almost 14 years@Vi: GoDaddy sells them for $50 US over 2 years last I checked. They're not my favorite company to work with, but if your VPS rent is less than that I'd like to talk to your provider!
-
squillman almost 14 years@Vi: also, have a look at this question - serverfault.com/questions/4834/…
-
Vi. almost 14 yearsI looking not for green badge, but for absence of "This ... ... insecure!" message with more than 3 clicks to dismiss.
-
Deb almost 14 yearsWe used ipsCA for years at our institution. Spoiled us rotten, it did.
-
John Gardeniers almost 14 yearsThis sums it up: Pay or have the security warning. +1
-
Vi. almost 14 years@John Gardeniers, Looks like rich swindlers have officially more rights in this certificates than poor legitimate service providers.
-
John Gardeniers almost 14 years@Vi - It's not quite that simple. It costs money to establish the infrastructure and trust relationships behind commercial certificates. Those companies which have invested that money clearly expect a return on their investments. I'm sure you don't do your job for free.
-
Vi. almost 14 yearsLooks like StartSSL work. Firefox 3.5 recognizes it. (Firefox 2.0.0.14 not, but it does not recognise even startssl.com).
-
Vi. almost 14 years@John Gardeniers In commercial world it is OK. I'm thinking more about little start-ups or toy projects (which can grow up to normal thing, but with lag in security management). /* Also personally not very like all that hierarchical centralized structures like DNS and this keys with Root Authorities. They tend to grow overtrusted, overloaded => need for serious equipment => need for money => overcommercialised */
-
Vi. almost 14 years@John Gardeniers, "Pay or have the security warning." -> Followed the answer about StartSSL, now get no warning without any payment.
