It only took me a few minutes of using Internet Explorer 7 yesterday to discover that the biggest problem with it, from my perspective, is actually a “feature”. For websites using a self signed or shared SSL certificate, IE7 is going to remove users from the webpage in order to present them with a big intimidating warning about the certificate having problems. If they want to proceed to the secure page, they have to click a “not recommended” link next to a scary red ‘X’.
Whereas IE6 presented a simple dialog box with the warning, which was informative, but not frightening, the IE7 method is going to turn off an enormous number of visitors. I have a family member with an ecommerce site who can’t afford to purchase a personal certificate every year in order to avoid this problem. Until now, the shared certificate generously provided by the hosting company for free- was meeting his needs perfectly.
No longer! shared certificate users around the world get a swift kick in teeth- and the pocket book- from Microsoft’s new browser- which they will be pushing to users of IE6 through Windows Update. There’s no way to avoid it- 80% of his visitors will soon be on IE7 and will be seeing this horrifying warning. Of course- the warning does not mention that self signed or shared certificates provide just as effective encryption protection.
As the webmaster for his site… and with a firm ‘No’ from him to the idea of a purchasing a personal certificate from vendors like Verisign or Thawte (who must be seeing dollar signs because of this issue), I have to come up with some kind of solution. The only solution I can see is to provide a pre-emptive page to IE7 users which will pre-warn them about the warning, and provide instructions for accepting the certificate. Clunky? Yes it is. A turn off to customers? Yup. Too many hoops to jump through? Absolutely. Am I going to recommend FireFox at the bottom of those instructions? you damn well better believe it.
Posting on the Microsoft discussion groups about it, prompted a response from a “Microsoft MVP” that I can blame the crooks and phishers for the stringent methods and for the untrustworthiness of self-signed certificates. Nonsense! It is not up to the certificate monopolies to ensure customers that a site is who they say they are. It is on the client to be aware of what site they are visiting. If someone comes to my door and claims to be from Visa, and can I please fill in my credit card info on his clip-board.. there is no third-party in a suit holding my hand telling me- that guy isn’t really from Visa. Educating the public is the key- not scaring users away from small vendors who can’t afford better than a shared certificate.
Obviously I’m fuming about this issue and I’m starting to fall into a rant. What really bites me is that my relative with the ecommerce site is going to lose business because of this, and I’m going to have extra work on my hands to make adjustments to his site, and despite my efforts- many visitors will still be turned off by the warning. A warning which in my opinion is way overkill- and won’t stop the real crooks.