This site supports complete SSL security for data encryption.  However, our certificate is self-signed.  What does this mean?  Is it any less secure?  Is data being intercepted by a third-party?  Why does the browser display bizarre security certificate warning messages?  How can communications be verified?

Some parts of this site, for security reasons, require encryption via an https connection, such as the mailing-list pages.  When you click on a link for a secure page on this site, your browser might display a warning message saying that this site can't be verified and that your communications might be intercepted.  Here's what such a message might look like:

This happens because I haven't yet been able to justify paying the annual expense to one of the Certificate Authority monopoly companies that govern the authentication process used by most browsers.  This is NOT a problem, nothing is misconfigured, and doesn't mean that communications is any less secure.

In order to browse the secure sections of this site, you'll need to instruct your browser to accept the certificate either temporarily for your session or permanently. The choice is yours, but if you only select temporary, then the next time you visit this site, you'll get the same warning message.

However, you should never blindly accept any certificate, including the one for this site, as it is indeed possible that a man-in-the-middle attack is being used whereby someone pretending to be the site you are browsing creates their own certificate so that they can intercept your secure data.  So how do you know if it is authentic??  You must examine the certificate and verify the fingerprint signature.  The certificate for this site should look like the following:

Verify that the SHA1 and MD5 fingerprints shown for the certificate match the one in this image and listed here:

• SHA1 Fingerprint: CF:8A:F7:5D:7D:C9:AB:2B:E2:28:D6:A7:87:4A:D7:79:76:58:A7:96
  
• MD5 Fingerprint: 0D:C7:73:D0:9A:F5:B3:BE:AC:BD:5D:0D:26:0D:8A:43
  

If the fingerprints don't match, then don't accept the certificate!  And please send me an email at: and notify me of the problem.

For more information regarding Secure Socket Layer communication, please visit the OpenSSL Project website.