https certification

Having set up the arts & ego vault, showing older versions of the site, I’m slowly updating the vault’s links to reflect the modern web. Most older links point to dead sites, and many of those that are still valid offer no protection against some of the scams of the modern web. I’m redirecting broken links to archive.org copies of the original sites, and updating, where I can, links to sites that are still live to their valid HTTPS equivalent.

image: flowers in the autumn sun

Unfortunately, many of those HTTPS links don’t work when they should. HTTPS requires certificates which can be used by browsers, etc., to verify the site is what it claims to be.

A lot of certificates for contemporary websites are invalid. They’re out of date, they reference a different site (usually the host, I suspect), or they’re just plain wrong. Because I’m only concerned with updating links, I solve my problem by redirecting the damaged links to their archived copies, but, really, site owners should install correct certificates.

But there are reasons why they don’t:

  • A lot of the broken certificates are for poetry sites, for example, run by people who are deeply interested in their subject, but have little knowledge of how the web works.
  • I suspect some site owners do not understand the need for certificates. They have not realised their site should verify that it is what it says it is, to make it more difficult for scammers, conmen, criminals, or governments, to harvest visitors’ information, by, for example, setting up false links, references, and/or copies of their site. This is, oddly, particularly relevant for poetry sites, because of the importance of poetry in repressive societies, with governments or other organisations that like to gather information on those who do not accept abuse.
  • Certification itself should be and often is free, via, for example, letsencrypt.org, a site and certification mechanism set up by the industry to solve these problems. It’s not suitable for sophisticated sites, but it is perfectly valid for ordinary web sites, such as this one, which is why I use letsencrypt.org certificates here.
  • Unfortunately, some ISPs play the con game and charge for https certificates. This was probably fair enough a few years ago, when https certificates were neither necessary nor free, but it is not acceptable now. Certificates are essential for the health and security of the web, so should be part of the basic service for setting up a website. Many ISPs offer just that.
  • Certificates that are not correctly set up by a host have to be set up by a website owner, and that requires technical knowledge which many owners do not have.

So, I think, ultimately, broken certificates is not so much a problem with the site owners, but with the service they’re using to host their site. If I were an ordinary site owner using a hosting service that did not provide free & valid certification, I’d move my site elsewhere.