I have had FireFox flip out a few times and give me a screen with red font saying “This site is untrusted” of something like that when I have clicked on linkds from a Google search.
Could this be what happened?
Note that just because a trusted Certificate Authority issued a certificate does not mean that the person you’re communicate can be trusted. It’s just a means of identifying that they are who they say they are, so it’s also important that the user checks the domain name or company name on the certificate and makes up their own mind about whether the company they are dealing with is trustworthy.
So a phishing scheme (e.g. NotMyBank.com) could have a trusted certificate?!
Normally on the web, if the server needs to be able to verify who the client is, they do this once the secure session has already been opened. For instance, by requiring a login. The login details are all sent over the already secure channel. That is why I said the server doesn’t need to know who the client is in order to start the secure session.
This is a bit more user friendly, and privacy-friendly, than requiring all web users to have a certificate installed in their browser signed by a certain certificate authority (though some rare services do sometimes request a certificate from a client for security reasons).
Maybe some Business-to-Business situations require client web certificates?
Yep, you’ll need an SSL certificate signed by a trusted Certificate Authority and issued for your actual domain name. An SSL certificate included free with your hosting package may not satisfy both those criteria.
Is there a way to get a test SSL certificate?
I’m going to get a “test” account with GoDaddy.com where there will not be a domain name, just a fixed IP address. (I don’t want people to be able to know who I am for my test account by looking up a domain, plus it is just a “test” account?!)
Hoping you say “yes”?!
Also, when I am ready to get down to business and get a “real” SSL certificate, what kinds of information must I provide to get one?
(I hope they aren’t asking for really intimate details like bank acct #'s, physical address, etc.)
You’ll need to get your host to enable HTTPS with that certificate. For Jane’s sake, make sure that the same content is not available via regular HTTP, and make sure none of your internal links, and links to things like scripts, stylesheets and images, lead to non-HTTPS sites. That’ll ensure her browser will never lead her to the same site, unprotected, or show a confusing warning about non-encrypted page elements.
Wow! That is some of the best advice I’ve been given in a long time?!
That is a lot to “chew” on, and probably requires a solid architecture, but here are some initial thoughts…
So it sounds like it is better to have “dedicated” Scripts, Style Sheets, Images, etc for secure pages??
Maybe you even would want to double up and have Scripts, Style Sheets, Images, etc map to a specific secure page??
In general, is there any easy way, approach, or even testing tool to ensure that…
1.) You don’t accidentally loop Jane User from a secure area back to a non-secure area, OR that
2.) Jane User can’t get to a secure area via a non-secure area OR that
3.) There isn’t some way for people to “hack” your URL and hope from non-secure to secure to non-secure areas??
(Sorry, those are probably threads unto themselves?!) LOL
There is no special code to switch into or out of a secure connection except the “https:” at the beginning of a URL. Make sure the user is using a secure connection before logging in (ie, the login page should be included in those pages that are only accessible via “https:”).
Okay.
Thanks you Thomas!!
Great information!!
Sincerely,
Amy