Secure (https) connection to DAG web sites

You can now use https://www.ksfiomdepositors.org and https://chat.ksfiomdepositors.org - however you will get a security warning from your browser because we do not have a third-party certificate. The exact message will depend on your browser.

For example, Firefox 3 says:

Secure Connection Failed
www.ksfiomdepositors.org uses an invalid security certificate.
The certificate is not trusted because it is self signed.
The certificate is not valid for any server names.

... you will then need to "add an exception" to allow access to the site. This message is to warn you that our certificate is self-signed (home-made!) as opposed to being from a recognised provider such as Verisign. The encryption works fine with this self-signed certificate, but what you don't get is verification of the site's identity.

I do hope to get a proper ssl certificate, but first DAG has to be established as a legal entity, since the certificate has to identify an entity. There is also a cost involved (approx £500 pa).

So, should I be particularly concerned about the warning issued by my browser?

I think the short answer is no, and here's why...

A standard unencrypted (HTTP) connection does not even attempt to verify the identity of the site, therefore doesn't issue any warning. The warning is issued with an HTTPS connection because your browser does attempt to verify site identity and cannot. In that sense the situation is the same as with a standard connection. However, with an encrypted (HTTPS) connection, any information you type (or read on the site) would be extremely difficult to intercept by a third party.

Once you have told your browser to accept (permanently) our self-signed certificate, the warning should not re-occur (with the same computer and browser etc.) If the warning ever does reappear, then that could indicate that you are not connected to the right site.

Manually checking site identity

You can (and should) manually confirm that you are at the right site (look at the site name in your browser address bar.) Suppose you accidentally mistyped our url into your browser as www.ksfiomdepositrs.org and someone had deliberately created a copycat site at www.ksfiomdepositrs.org. Then you might unknowingly provide information to that third party, believing it to be us. If such a third party also had a verified SSL certificate (identity) in place, then even an encrypted (HTTPS) connection would make no difference since the certificate would correctly identify the site as www.ksfiomdepositrs.org - you would be none the wiser. So, it's a good idea to double-check what's shown in your browser address entry.

There are ways that a copycat site can present itself in your browser with our name, but that could only be done if there were already some other security failure or intrusion, e.g. an active trojan on your computer, or successful DNS poisoning. In other words, a more generic and more serious security problem. These topics are far too complex for me to try to explain here.

In summary

The encrypted connection option offers significant advantages and the browser warning can be ignored relatively safely.