.htaccess redirect for https and external links

It's possible, but the redirect would come after the warning, so it would be pointless.

Is there any redirect that would come before the warning, or are users going to have to go without security because browsers want to act like headless chickens?

No, the SSL layer is what does the certificate check (obviously), and anything else happens only afterwards.

Even with this new-fangled SNI feature that lets you do vhosts on SSL, you don't have an option to issue a redirect.

Have you considered getting a real SSL certificate? They're cheap, and in some cases (StartSSL) can be free.

StartSSL? What's the link? Are they good? I saw several links to free SSL providers, and they all seemed like scams. One of them said to put in a home address and specifically said that they would invalidate it if they saw that it was a business address. Now would someone please explain to me a legitimate reason why they would ask that?

StartSSL is the scammy place that requires you to enter your home address, and specifies that it must be this, not a business address. I'd really like to hear a legitimate reason for this. It makes them seem potentially stalkerish.

FWIW, StartSSL is not a scam site. I've been using them for 2 years and have 5 certs from them.

@sweh:

FWIW, StartSSL is not a scam site. I've been using them for 2 years and have 5 certs from them.

If they are legitimate, then why do they ask for your home address, and not only request it, but insist that you must provide it to them? I've dealt with potential scammers, and strange things like this are what mark them. My organization address isn't good enough for them. Why? There is no reason why they need a home address, and it's unwise to be handing it to them.

They have a FAQ. This is question 1.
> 1.) Why do I have to provide my personal details?

The Terms and Conditions of StartCom and the StartCom Certification Policy requires* subscribers to provide the correct and complete personal details during registration. Without fulfilling this requirement, a subscriber (you) is not entitled for an account with StartSSL™. It is upon the subscriber to prove the validity of the details submitted should StartCom make such a request.

• Since StartCom must enforce adherence of the StartCom Certification Policies by all subscribers, the subscriber must provide his/her personal information.

To me, that says that you are an individual, and you are the subscriber. Not your company; you.

Feel free to not use them. There's plenty of other places, and if you want an EV cert then you're gonna pay, anyway.

As (weak) evidence of their suitability, I'll point out that their CA cert is pre-loaded into many modern browsers.

That doesn't seem legitimate. It also seems like an excuse. So you need to enter "correct" information. That doesn't seem to require using your home address.

I'd guess the free certificate is for personal use, not for business use.

So you give personal address on it, not business address.

Honestly, never used them - just heard the name dropped around this forum before. Sorry.

No, thanks for posting it. Even in such cases, expecting a personal address is obviously going to be problematic. People can post another address that they use. The fact that the owners request where people live is highly strange.

And they verify it how?

Drive thru town, find a nice house, use that address.

@vonskippy:

And they verify it how?

Drive thru town, find a nice house, use that address.

You can tell if sth is a business or a house, especially with Google Earth. I'm also not going to use a random person's address. Putting your address on the internet causes you to get tons of junk mail, and God knows what someone would get if their address were entered into some dodgy service… The PO box we use for domain registration already gets tons of spam.

@sweh:

FWIW, StartSSL is not a scam site. I've been using them for 2 years and have 5 certs from them.

I think I'll try it. I'll wait a while before I implement it to see if they actually care that I'm using the Sturmkrieg Administration Committee PO box. That's our address; if they don't like it, it's what they get.

EDIT

They really seem to be a bit odd with demanding personal information. I have to say, neither me nor the server owner is going to be turning over any identification to them if they decide to throw a fit.

I might just ask Sturmwächter to buy one from GoDaddy, provided it gets good reviews for SSL and it can be used on multiple domains.

CACert also offers free SSL but supposedly not all browsers accept their cert as beings valid. Perhaps it's something you could test first.

Namecheap is a reseller of PositiveSSL and you can buy one for only $8 a year. If you haven't registered your domain yet you can get one for only $2 a year. I went with Namecheap to register my domain name and chose the Positive SSL cert. This is my first time setting one up and I found it easy and the cert has gotten good reviews. PositiveSSL is also backed by Comodo.

@IceClimber:

CACert also offers free SSL but supposedly not all browsers accept their cert as beings valid. Perhaps it's something you could test first.

Namecheap is a reseller of PositiveSSL and you can buy one for only $8 a year. If you haven't registered your domain yet you can get one for only $2 a year. I went with Namecheap to register my domain name and chose the Positive SSL cert. This is my first time setting one up and I found it easy and the cert has gotten good reviews. PositiveSSL is also backed by Comodo.

Thanks. Their wildcard SSL is $85 per year.

CACert is a neat idea, but hasn't gotten much adoption. The inclusion status page doesn't show any major browser recognizing it as a certificate authority. For the distributions that include CACert, I don't know if browsers running on that distribution will necessarily recognize it or if they bundle their own set of CAs.

Progress on getting included seems to be stalled according to this page, but it might just not be updated to reflect the current status.