The Dangers When You Create Your Own Wildcard SSL Certificate
There is an old saying about just because something can be done doesn't mean it should be done. This is certainly true when it comes to IT services and options, may which are absolutely possible from a technology standpoint but may be counterproductive and even harmful to a website.
Specifically, we would like to talk about the issues you will encounter when you create your own Wildcard SSL certificate. These are commonly known as self-signed certificates and they are available through OpenSSL and through different options available online.
There are several important distinctions to make with a self-signed certificate. The first and most obvious is that there is no Certificate Authority that is validating the information provided by the applicant. There is no validation process and no one verifies that the applicant has the authority to create the Certificate Signing Request or even has the authority to use the domain name.
Basically, these are certificates that say trust me because I say I am trustworthy. While this may be true, would you provide your credit card information, personal identifiers or even general information about yourself to someone on the street that you have never met before and no one is vouching for?
That is at the heart of what you are doing when you create your own Wildcard SSL certificate. Granted, there is a very low risk of someone hacking into a server and creating a fraudulent self-signed certificate for a spoof website, but it can and does happen.
Also, if the Wildcard SSL (secure sockets layer) is encompassing a large number of subdomains across multiple servers, it would be even easier for this type of breach to occur and go undetected.
Problems with Browser and Device Recognition
Perhaps the biggest issue when you create your own Wildcard SSL certificate is that you are your own Certificate Authority in the most basic sense. However, unlike Comodo, you do not have a relationship as a trusted source by the major web browser and device developers.
Unless the browser or device has a trusted source root certificate embedded, it is going to provide a warning message to anyone using the site. Depending on the browser or device the message and can provide more or less information about why the site is considered unsafe.
At a minimum, the user will see the red shield or the warning guard icon and the message that the website has a problem with the SSL certificate. This may state it is because the certificate is not from a trusted CA or it may state that the website may be an attempt to intercept data or to fool a customer into providing data to an unsafe source.
This message is not small and it will not be something that the customer or visitor to the site will miss. The result of this will be discussed in the next session, but if you run analytics on the site, you will typically see a very high bounce rate and a lot of other downturns in online business.
Drop in Customer Confidence and Sales
With the warnings that appear when you create your own Wildcard SSL certificate, most consumers are going to leave the site immediately. Some may know to review the certificate online and may understand that it is self-signed, not that the site is necessarily a spoof or a breach.
Even with these consumers or users, the risks may outweigh the benefits of shopping or buying from the site. It is too easy to just click back to the search engine results page and go to the next website on the list.
Another issue you may note is an increase in abandoned shopping carts and fewer page views per session. This will typically start to occur immediately once the self-signed product is installed.
Bad Habits Develop
You may be thinking that you can save money and create your own Wildcard SSL certificate for internal sites. After all, you know your own internal network is secure, so why go to the expense of getting one from a CA?
Unfortunately, teaching employees to ignore these security messages is a bad habit. If they become complacent with the messages when on the internal network, they will do so when they are on an external network. This leaves your company network open to phishing, hackers and even man-in-the-middle attacks.
In the long run, a self-signed certificate may actually end up costing you money in lost customers, lower sales and increased risk of a security problem. To find out how we can help you find the right Wildcard SSL certificate for your budget, give us a call at +1 888 266 6361 or contact us through the website at https://www.instantssl.com.