Self-signed encryption. Do you care?

I’m impressed. Really. And I tell you why in a second: Due to a misconfiguration, a secure connection (HTTPS) has been enforced for all visitors coming to this blog for a few months now. I didn’t notice this at first, because I use a special WordPress plugin to enforce HTTPS for the admin user (myself) only. Actually, administering this blog in a secure way is the only reason I started to offer HTTPS access to this blog at all. To safe myself a few bucks, I used my own certificate authority to issue myself a certificate. I guess that a maximum of 5 visitors/day trust this certificate authority by default. And this is a very optimistic guess. This means that for most visitors, it was very difficult to actually access this blog, because modern browsers nag the user very much, if they detect any certificate issues with a site. Still – and that’s what I am so impressed with – I lost only about one third of the visitors by enforcing a secure connection. And I get a lot of visitors – especially through search engines. It seems that most visitors, that are coming in via Google for example, do not really care, if they need to dismiss a number of security warnings to access this site. Or most visitors of this blog have disabled these checks. I don’t know. What this probably means is that

  1. most of you are technically savvy
  2. and you care enough to take the additional work required to access the content on this site.

Still, I disabled HTTPS enforcement again because

  1. it kept most feed readers out (I can only guess how many people were affected by this, because I don’t really track the number of subscribers to my RSS feed)
  2. and one third of the visitors of this blog are still a lot of visitors, if you just look at the bare numbers.

Anyway, I thought that I would loose a lot more visitors by enforcing HTTPS with a self signed certificate. You proved me wrong ;).

Tags: , , ,

Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!

2 Responses to “Self-signed encryption. Do you care?”

  1. Noone says:

    Short correction:
    1. Don’t know that encryption is worthless without authentication
    2. and couldn’t care less

    OK, in this case the encryption really isn’t necessary, so I would accept that cert temporarily, too…

    Consider getting a CACert. Those are a compromise of being cheap and having a bit of authentication…

  2. Patrick says:

    Unfortunately, you totally missed the point of what I said here. When I said the users care enough, I meant they care enough for the content of the site to invest some extra work and get around all the browser warnings instead of turning away immediately. This is all I can read from the statistics I have. I don’t have any idea about how much the visitors trusted the encryption layer. Why do you assume that all users that clicked through the warnings to get to the content of the blog trusted in the encryption layer?

Leave a Reply