SSL (Secure Socket Layer) and its new version TLS (Transport Layer Security) are meant to provide secure communication between a client and a server. I understand how easy it must have been to decide to verify identity with them as well – to show that a site is actually who they say they are. However, from a developer’s perspective – why on earth do I need to pay so much yearly to prove that… Well, I am not using it as a payment gateway – I just want to ensure that my user’s information is secure against man-in-the-middle attacks. I want my users to know that when they submit anything to my site, it will be safe from prying eyes, and kept with me and me alone. I want my users to have that security. But now, because of how SSL has developed and how modern browsers treat the certificates – if I have a self-signed certificate my users are told before they see my page that it isn’t trusted. This is told to my users because I have not paid these large corporations a sum of $200 plus annually to sign my certificate verifying that it is me. I understand a fee for that service, but why is it worth so much, and why do browsers tell you when a certificate is not signed by these companies? The security between the communication of the server and client is the same whether or not I paid to have my certificate signed.
As a developer, I do not care whether my identity is is verified. I want that security for users, but I refuse to pay for it if I am not running a store. So, that is my rant about the corporate world. I don’t like people making a ton of money of developers that are trying to protect their users, and then telling those same users that because this developer wanted to secure that communication between them – they are not trusted. Sorry, I just don’t like how the users get screwed in the situation; because honestly whether data can be intercepted by a third party really does not directly effect me.