Disclaimer: All written here is only a private opinion; None of this text was written as a statement of authenticity, and not rely on it in any way, especially not to understand any company from any act performed intentionally, knowingly, or at all ...
Until a year ago, at my workplace we use SSL certificates purchased from Thawte.
Thawte is the oldest market, and maybe even the first (I do not remember).
Thawte is also being very expensive. You can get the same service to other service providers as well - and is equivalent for all purposes - that is - the information through a secure exactly the same way.
Why we even need SSL certificates to establish an encrypted connection with a remote server? Well, truth is not really necessary. Encrypted connection could be established independently by the self-signed SSL certificates, and use.
The only drawback in the form of such work, is, unless you connect to such a past, and your computer Knesset signed the certificate of his own, do not you know that the site you are connecting to it, is indeed the site you expect to connect to it. Maybe someone else got the connection in the middle, and responds to you instead of the server which you connect - then indeed your outbound communications is indeed encrypted - but not sent to where you expect it to be shipped, but somewhere else.
Here comes the concept that a body charged with the two sides will sign a digital signature on the server's encryption key, so customers can verify with a third party that third party signed the certificate, and certain types of service, although legal verification performed on the same body which he signed the certificate .
So far so good.
Where the problem starts?
The problem begins, thus, the signature process is a procedure that can be made by a computer, without human contact. This is identical to the signature of an independent, only that it signed by a third party, but the same technical operation.
Unfortunately, Web browsers, there are third-party certificates only structured such service providers charge for their signature service (although there are service providers who charge a fee ...). This causes that all who logs on to the site, the digital signal this is not signed by one of these commercial companies that impose a lot of money for the operation of a few seconds, receive a warning message (justified, in terms of what was defined as the browser ...) that the site may not be reliable, that even if the certificate Bookmark Website (attacker, Domain Name, etc.) - the body seal is not set system reliability, and it gives the user to choose whether to continue or not.
If the list of trusted signers would include at least one free service provider, all the other companies could basically go home, they are making money today for surfer will not receive a warning when he went to a secure site.
Suppose for a moment to the fact that charge money for this (right) - not on this post. Now all I have written is intended to explain the technical background at all need this service.
As explained above, once one of three things: a seal, expiration date (start and finish) Domain name, does not meet the conditions defined in the browser - you receive a warning. The warning does not mean that the connection is not secure. It just means that it may Someone snatched the media. If no one has grabbed the media, secure communications, even if all the warnings screaming 'danger'.
And here comes the problem.
To maximize profits, signing a digital certificate is for a limited time, so it can sell the same "product" twice. What happens actually expired certificate? Nothing really. Shout browser - please note - I checked the card, this card properly, she was signed by a reliable, which means that unless someone had stolen the encrypted private key from the server (by hacking) - You're not even talking to the server you think you're talking to - But note - the owner of this server simply did not pay several hundred dollars so that you will get this warning. Again - I stress - absolutely secure communication at the same level - including verification system to which you connect - just a warning popup window.
And now - we got to Poitiers.
A year ago, we decided to place my work, switch to another SSL provider, less expensive. After all, as I explained, in terms of security, there is no difference.
And in fact we've been through.
Old supplier (Thawte) sends alerts from three months before the end of their signature attacks, and calls to resume the signature (premium prices, as usual). We are of course ignored, because we already have a new certificate signed and active, and customers will not receive Fofaf window (again, not saying that the connection is not secure) at the end of the period; so we do not care.
Finally, the last day of renewal, which we received an email just threatening, it was formulated:
"ACT NOW! The following Certificate (s) has expired. Your site is no longer secure or validated. "
And that's poetic in this post. After explaining what I explained above, one can see and understand, this trial is a complete lie. Even if we had stayed with their card - a warning did was jump, but warning was written specifically with communication is secure, and seal so reliable, just the date is not valid, and please check the computer's clock ...
In conclusion, why not threaten his client's site just not sure that he did not pay more money instead to show him the truth? When you want to sell, I guess anything goes ...