Mini Servers: Browsers dislike self-signed certificates
Mini Servers: Introduction | Support | Server 1 - Portable | Server 2 - Service | Server 3 - Portable Authentication | Server 4 - Portable Authen. SSL | Server 5 - SSL Standalone | Browsers dislike self-signed certificates | Server 6 - PHP 5.2.6 Portable | Server 7 - PHP 5.2.6 Service | Server 8 - MySQL Support | Guest Book | Server 9 - Perl 5.2.6 Portable | Server 10 - Perl 5.2.6 Service | Server 11 - MySQL 5.0.67 Portable | Server 12 - MySQL 5.0.67 Service | Server 13 - MySQL 4.1.22 Portable | Server 14 - MySQL 4.1.22 Service | phpMyAdmin - Mini support | MySQL - General problems |
Mini Servers: Compact but fully functional. |
Browsers dislike self-signed certificates
They throw up all kinds of scary messages and rightly so however if it’s your personal secure server (server 4, server 5 or SSL personal secure server) what do you do! Certainly do not follow the information they give you; otherwise you will never connect to your server. This page hopes to pint you in the right direction for a personal secure server.
I must stress if you receive any of the alarm bells while you are about to part with money make sure you heed the warnings and recommendations otherwise you may just find your bank account depleted.
To save or not to save
I personally recommend you do not save a self-signed certificate to your browser especially if you are not using your own personal computer. It is best to allow a certificate for the current session only.
How to determmine if data was encrypted
What strikes me as odd using a self-signed certificate once a secure connection is established all modern browsers do not give a clear indication that data is being encrypted? This I suppose is to actively discourage their use.
A small piece of theory, when connecting from a browser with a scheme https:// it dictates a secure protocol must be used for the connection. Likewise a server will also have been set up (SSLEngine on) to server only pages using a secure protocol.
Net results of this, if you see in your browser address bar https:// and the page is being displayed it was encrypted before being sent over the Internet and decrypted by your browsers.
It does not guarantee a connection is safe, if the data is intercepted encryption makes it difficult for a casual user crack. In addition it does not prevent men in the middle attach only a signed certificate can help with this.
How to get your browser to accept a self-signed certificates
All modern browsers actively discourage self-signed certificates however they do need to honour the wishes of users. To get your browser to accept a self-signed certificate varies depending on the browser you are using some make it a little more difficult than others. I cover the three main browsers (well the ones I have access to) in reality all that is required is a few mouse clicks while ignoring the scary warnings and recommendations.
Note: I used mini server 5 for these tests and screen shots.
Browser address: https://localhost:8085
Firefox 3
Step 1: Click OK |
|
Step 2: Click Or you can add an exception |
|
Step 3: Click Add exception |
|
Step 4: Click Get certificate |
|
Step 5: Un-Check Permanently store this exception Step 6: Click Confirm Security Exception |
Opera 9.51
Step 1: Click Approve |
|
No Step 2: Click the Question mark right of browser address bar allows you to view certificate details. |
IE7
Step 1: Click Continue to this website (not recommended) |
|
No Step 2: Click Certificate Error right of browser address bar allows you to view certificate details. Note: Its not a true error there is not a problem with the certificate |
Conclusion
From the above I hope you noticed there is no consistency in addition its difficult to determine if your page was encrypted. I personally think there is a fundamental flaw in that there is no reference point like the old padlock. Firefox hides it bottom right of screen neither IE or Opera provide one, they use a new fangled method, as does Firefox. I would prefer the address bar to have changed colour.
A final reminder, do heed all warnings when parting with hard earned cash never give away credit card details until you are completely sure you have a secure connection.
Ric |