[bunchesofdonald]

Why do we have to have ssl cert providers? I understand when you're doing ecommerce, it makes sense. But for a website that is just trying to do SSL to get past firesheep, or simply because they are transmitting sensitive information, doesn't it make sense to allow them to just encrypt their traffic?

To answer the actual question, we use godaddy.

[tbrownaw]

> Why do we have to have ssl cert providers?

Because the web has a broken security model.

By default, the only way that a web browser can know that the site gave it the right cert (as opposed to someone intercepting the connection with their own cert), is if it's signed by one of a couple hundred "trusted" providers who are supposed to be careful to not give certs to the wrong people.

Something like [Perspectives](http://www.cs.cmu.edu/~perspectives/) should be much more secure and can be more decentralized, but unfortunately isn't included with any default browser installs. It can't provide the same link to a meatspace identity, but you very rarely care about that (basically just for ecommerce) and it could be used in conjunction with a CA-based system for that anyway.

[cmelbye]

The certificates are unverified by a trusted certificate authority, so anyone can perform a man-in-the-middle attack by providing a different certificate to clients, allowing the bad guy to decrypt the information.

(edit: clarified wording)

[Sephr]

It wouldn't be like that if you're using a self-signed cert.