Forums Help & support Signed certificate for the downloaded file but no SSL for the website? Reply To: Signed certificate for the downloaded file but no SSL for the website?

#3798 Reply

Svante
Keymaster

Hello John,

While I won’t argue that the standard is moving towards SSL-everywhere, please understad that SSL (HTTPS) serves two purposes, but not always at the same time and this is not always apparent to a user.

The first purpose, which is always fulfilled is confidentiality. However, not all things are confidential. We don’t believe that our public web site, http://www.axcrypt.net, has anything confidential.

The other purpose, is authentication of the URL and organization behind it. I.e. that if you type ‘www.axcrypt.net’ you’re really talking to our servers and we represent a real legal entity, and not someone elses. This purpose used to depend on a list of trusted providers of root certificates, such as VeriSign, issuing them after a manual verification process. These cost money. Real money. And we’re still a rather small organization.

Recently, free certificates have been massively available via the Let’s Encrypt inititative. The problem is that these certificates really only fulfill the first purpose – encryption of the link. And, as mentioned, there’s nothing secret going on there.

If you’ll note, the account web site, https://account.axcrypt.net/ – where you sign in, *is* encrypted with a ‘real’ SSL certificate, where our corporate identity has been validated by the issuer. We’ve also ensured that we’re only using up-to-date algorithmns and key lenghts on that server.

So, yes, we’ll arrange for SSL for http://www.axcrypt.net/ as well, but since the *real* benefits are minimial to negligable and there’s a real cost associated with it it’s not been our top priority.

Thanks for the feedback!

Svante