Open Source and Ecommerce

July 7th, 2005 • General

A few days ago I gave a talk about open source software and what role it currently plays in ecommerce.

Generally speaking, open source software doesn’t play much when it comes to starting a business, but it can be extremely helpful as a base platform. Open source solutions can be anything between a simple shopping cart on your web site that allows you sell products, up to complete CRM/ERP solutions, like Compiere.

One of the very interesting things that I learned from one of my audiences (namely Karin Kosina, an FSF representative in Europe) is about a project called CACert. The idea behind it, to put it simply, is free signed and trusted SSL certificates for all! You got to love it, don’t you?

You see, many people still don’t know the difference between signed and unsigned certificates, or how they are useful. I don’t really like having to pay fees for a simple “stamp” on a digital signature of mine, worse yet, there are different prices for different “stamps”, depending on how and where you use them, whether for personal use, on one site, or server-wide.

So here’s how SSL certificates work without the technical blabber:

The problem with the Web is that it uses an insecure protocol called HTTP. It’s not encrypted, it can be easily sniffed and recorded, so as you know, nobody’s willing to send any sensitive information over such a protocol. SSL comes to rescue. It’s a layer over HTTP that uses a public/private key scheme in order to ensure that all data is transmitted securely. In order to be able to “talk” to another computer using SSL you need a certificate, it’s just like a piece of paper with a few information about you. Anybody can generate certificates, you can create a new certificate claiming that you’re Bill Clinton, Steve Jobs, or even Blunkila from Mars! But the problem is, who’s going to believe you?

This is where signed certificates work. Companies like VeriSign take your certificate and “sign” it using their own certificate in order to support your claim, basically, they’re reassuring whoever reads your certificate information that you really are who you claim you are, they checked.

This doesn’t really make SSL connections any more secure than they already are. I mean, if you’re connecting to a site over HTTPS and it’s using an unsigned certificate, this doesn’t mean that the connection is not secure, or that whoever’s sniffing around can make use of the data he/she is getting, all connections are still encrypted between you and the other party. However, you can never know that this party is who it claims it is, well, unless the certificate is signed.

You’re probably familiar with the scary message that almost all browsers display when you connect to a site over HTTPS and its using an unsigned certificate. When the browser detects this kind of certificates it displays a warning telling you “Hey, don’t be so sure these people are who they say they are…”, and you really shouldn’t be. Signing a certificate by a trusted company (such as VeriSign, GeoTrust, InstantSSL, etc.) is the only way to get rid of this message. You wouldn’t want to scare a potential custom off your site, now would you?

Just so you know, anybody can sign your certificate, even I can sign your certificate using my own, but then again, I too am not a trusted party, so I can’t really support your claim; well, I can, but who’s going to believe me? The trick is to convince browser vendors to include me in their list of trusted authorities, and that’s what CACert are doing right now, so, hopefully soon, you’ll be able to get a signed and trusted certificated for free… yaaaay.

Well, thanks Karin for the tip, it’s been a pleasure meeting you.

If you’d like to take a look at my talk’s slides, you can get them in OpenOffice Impress format and in PDF. I hope you like them

You can skip to the end and leave a response. Pinging is currently not allowed.