We spent a lot of time designing our product (and paying for thousands of genuine SSL certs) to avoid exactly this problem. My cofounder blogged about it last year at http://www.napera.com/blog/?p=52. An SSL certificate failure in our product is treated as a showstopper bug.

Inspired by this site, I did a little research of my own: http://hype-free.blogspot.com/2009/01/sslfail.html

The results are incredible (incredibly sad): less than 5% of the sites have proper certs. If you would like to get the final list or the script I used, let me know (it can keep this blog updated for years ).

If you find some great sites with non-SSL logins, send us the link.

Ugh. The state of browsers right now has made screenshots of ssl failures so amazing. Every little discrepancy (or less money spent on ‘normal’ certs) results in error pages. It’s pretty ridiculous.

I can’t wait to go to IE7/FF3 in my work environment (I use it, but it’s not installed widely on users). I have about 40 internal-only web servers hosting roughly 300 different sites internally (mostly development copies of public sites). Every one is protected by a non-EV SSL internally-signed cert. Let alone almost all of my network devices…

The band-aid of error alerts and green address bars to increase user awareness doesn’t work, and was a stupid idea in the first place (way to make more money for CAs). It would be just a minorly stupid idea if it weren’t so forced…

Sorry, the state of SSL is a bit of a peeve of mine. I don’t mind if a site like http://www.gmail.com uses the http://www.google.com SSL, but I do mind that browsers have moved away from pop-up warnings that can be turned off to obscure full-page warnings that make it sound like the site is evil and broken.