I am at the library, and when I went to use their free wi-fi, FireFox displays this message…
Questions:
1.) What exactly does that message mean?
2.) Should I be overly concerned about it?
3.) Should I “run for my life” from the library?
I understand the risks of “free wi-fi”, but that is my only option at the moment. So based on that, I’d like to understand what additional risks the screen-shot I posted above may cause.
Sincerely,
Debbie
The site is using an SSL certificate that isn’t recognized by any of the Internet’s root certificate authority servers.
Since I see the address is an IP address, I’d guess that it’s a self-created SSL certificate of the device managing wireless connections.
It’s likely that it’s a sign-on page for gaining wifi access to verify that you are a library patron.
Not sure I follow your response.
What about questions #2 and #3?
Whatever the library I was at is doing, it seems like they aren’t being very careful or secure… :mad:
Sincerely,
Debbie
Nah, the problem is that they haven’t forked out lots of money to get their SSL certificate “verified” by a recognized company. That doesn’t mean their connection is any less secure. It’s just an annoying message that you can ignore if you trust the organisation offering the connection—which in this case, you can.
My own web hosting account gives me the same message. the only way around it is to bay big $$$ for a pointless “verified” SSL certificate. But I don’t bother, because I trust myself. 
I’m still not understanding what is going on here…
Why is the library using an SSL certificate for free wi-fi in the first place?
Here is what happens when I want to access the Internet at this library…
There is no User Account or User Log-In required, so what purpose would any SSL certificate serve?? :-/
My own web hosting account gives me the same message. the only way around it is to bay big $$$ for a pointless “verified” SSL certificate. But I don’t bother, because I trust myself.
I’m not following you.
You have a website that others have to deal with the same issue?
Or you have a similar issue to just connect to the Internet with your ISP?
Or something else?
Back to my OP, when should the error page I showed above make me leave immediately? (I’ve come across that before on the Internet.)
Sincerely,
Debbie
To encrypt the connection between your computer and the wifi so that the person three desks over can’t capture everything you type in.
Do all free wi-fi connections do that?
I guess I thought SSL/HTTPS was a function of the websites I was visiting on the free wi-fi, and not a feature of the free wi-fi itself. For example, if I log into my SitePoint account on a free wi-fi connection, it is SitePoint protecting my log-in credentials, right?
Debbie
No, when I go to log in to the backend of my web hosting account, it is an https connection, and thus I get the warning message, so it’s not something that affects site users.
If you want a protected web connection (for the reasons that felgall described)—that is, to go to https and opposed to http—you need to set up an SSL certificate. It’s perfectly fine to create one yourself, and is free, but from a browser’s point of view, it’s not as reliable as one that’s verified by a trusted SSL company. So if you have an ecomerce website that grabs credit card details from customers, it’s best to get the SSL certificate endorsed by a reputable company. That way, the browser knows to trust the certificate.
The library is providing you with a more secure connection by sending you to https, so they are trying to do the right thing, but the warning message is a bit of a pain. If you were visiting a site by someone you didn’t know, the browser would want you to know that even though it’s an https connection, you may not be able to trust the person at the other end who is getting your data.
SSL certificates like you describe only cost maybe $100 per year, so I don’t see why it would be an issue for anyone wanting to provide a “secure” connection…
The library is providing you with a more secure connection by sending you to https, so they are trying to do the right thing, but the warning message is a bit of a pain. If you were visiting a site by someone you didn’t know, the browser would want you to know that even though it’s an https connection, you may not be able to trust the person at the other end who is getting your data.
Is it unsafe to use a free wi-fi connection that isn’t using an HTTPS connection? (That is probably an oxymoron… “safe” and “free wi-fi”, but you know what I mean!)
Sincerely,
Debbie
Because it costs $100 year. A self-made SSL certificate is just as secure as one officially recognized by a certificate authority, and it’s free. Typically, the only time you want an officially recognized SSL certificate is if you’re running an ecommerce site so that visitors don’t have a concerned reaction like you are having right now.
An SSL certificate simply encrypts the data between the server and the client so third parties can’t see what’s being transferred.
Is it unsafe to use a free wi-fi connection that isn’t using an HTTPS connection? (That is probably an oxymoron… “safe” and “free wi-fi”, but you know what I mean!)
A WiFi connection doesn’t use HTTPS–that’s reserved for website traffic. It uses WPA, WPA2, or WEP for network encryption. Network encryption prevents third parties from unauthorized access to the network.
But in answer to the question, if you use HTTPS while on a WiFi connection (secured or not), your information is safe. If you use HTTP, everything that is transferred to and from your computer over this protocol is broadcast in the clear (as in, anyone with a packet sniffer can see POST and GET responses).
However, some wireless access points do have a “wireless isolation” feature, which prevents wireless clients from seeing each others’ traffic. However, there’s not a good way to tell if this feature is enabled without some thorough testing and either multiple wireless devices or cooperation from another wireless user.
There are two purposes served by an SSL certificate -
A paid certificate is required for the second of these but a self made certificate or one offered by a third party is equally effective for the first.
So for connecting to your own web site to read your emails online you can use the webhosting provided certificate to get a secure connection and because you know that your site is hosted with them you know that you are accessing the right place even though the certificate doesn’t match the domain.
With access over local WiFi a self made certificate can be used because there will be someone physically present at the location who can confirm the certificate really does belong to them IN PERSON so that you don’t have to rely on one of the major SSL authorities having issued the certificate and trusting that authority to have checked who the certificate is issued to. Trusting the person in front of you in this situation is even better than trusting some authority that the people who wrote your browser decided to trust to issue certificates. With a library WiFi any library owned computers wouldn’t even be producing that alert as the person who set up the network would have added their certificate as a trusted certificate in the browsers on those computers. If you trust the library connection you can make it a trusted certificate in your browser and never see the warning again. If you don’t trust it then don’t use their network at all.
Aw, didn’t know you could do that. Firefox always used to accept the site once I reassured it, but on Chrome, it always kicks up a fuss. After some Googling, found this page that showed how to stop that:
http://www.robpeck.com/blog/2010/10/05/google-chrome-mac-os-x-and-self-signed-ssl-certificates/
(In fact, the process is easier than described there, so perhaps Chrome has improved the situation. worked nicely.)
You aren’t talking $100 though? You can get recognised certs below $10 that won’t give this error.
Yes, you can get less expensive certs. I was simply quoting what DoubleDee said to make a point.
The lowest I’ve seen from a known reputable CA is around the $30 mark. I’ve also seen certs go as high as $600.
You can get RapidSSL cert for around $10 that is owned by GeoTrust and in turn owned by Symantec. You can pay much, much more than $600. You aren’t paying just for the cert then though, its the whole trust around it - http://blog.servertastic.com/a-look-at-the-cost-of-ssl-certificates/ (Mods the link is relevant but let me know if you want it removed).