HTTPS is less secure?

There's been a crazy trend with modern web browsers that I really think needs to be addressed.

Typically, when you're going to access a website it uses HTTP, which is not very secure. Everything going between you and the site can be easily seen by everyone. HTTPS encrypts your communcation with the site by using a certificate. Certificates on the sites that you visit are generated by a Certificate Authority (CA). Your computer comes built-in with a list of who all the CAs are and when you get a certificate for a website, it check that it was issued by someone your computer trusts.

In case you didn't guess, certificates from these places cost money. A common thing to do for connections that are only going to be used inside your network, or for smaller sites is to use a self-signed certificate. These certificates provide the same level of encryption that the ones from a CA do. The difference is your computer can't verify where it came from.

So my problem comes in with how modern browsers handle these self-signed certificates. When you go to a site with a self-signed certificate Internet Explorer, Firefox, and Chrome all hit you with a page warning you that the site you are about to connect to may be insecure. Even worse, the latest version of Firefox actually gives you the warning, but won't let you click through it and automatically stops you from visiting the page.

I understand the need to warn users that a site might not be using a certificate issued from a CA, but to treat it like its somehow less secure than going to a site without encryption is just crazy.

No comments: