Why do you see warnings when connecting via https to our sites
Most new users get scared when first tryng to connect securely to our websites through https, because their browser shows them very vocal warnings about the security and the identity of the website. There is a reason for this, and yes! it is a deliberate choice, one we'll try to explain you shortly
How does https encryption and chain of trust work
When you connect to a website via https, the site offers your browser its SSL certificate. This certificate is used to encrypt all communications between you and the site, and to verify the identity of the webserver. In order to guarantee the identity of a website, its SSL certificate is signed by a third party, the Certification Authority (CA). The assumption is that both the webmaster and the user should trust the Authority to have good intentions. The authority, on the other hand, should verify and guarantee the identity of the owner of the website.
As user experience should be as seamless as possible, the makers of your web browser decide to trust a certain (very, very large) number of CAs for you. So, if the certificate the website offers you is signed by one of those "trusted" CAs, you will see the green locker in your browser's address bar, indicating that the connection to the website is encrypted, and its identity is verified. If the certificate is anyway invalid, or if it is not signed by one of those CAs, your browser presents you a warning. The reason why you see such a warning when connecting our websites is that we consciously chose NOT to use a commercial CA to sign our certificates, and to manage our own CA to sign all our certificates.
Why we chose to create our own CA
As we said before, you put your trust in the hands of the CA when accepting that the connection to a site is secure. We decided it would be illogical to put the trust relationship between our users and us in the hands of profit-oriented corporations. Corporations that are also keen to collaborate with governments and intelligence agencies. For example, your government could get a commercial CA to collaborate, and hand over a signed certificate for our domains. Then the government will be able to set up a proxy between you and us, letting your browser beleive that the connection is secure, while being able to decypher and intercept all your traffic. As recent news have proved, we made the right decision not to trust corporations to stand up to government wiretapping requests.
This is not just speculation: browser vendor (both free and propietary) decided to trust hundreds of CAs on your behalf, as exposed by a study from the Electronic Frontier Foundation. It's common to read news of compromised or rogue CAs. The two most outstanding cases are probably the total compromise of Diginotar, a dutch CA, and the compromise of the italian branch of Comodo. In both cases, attackers signed certificates for large webmail providers in order to use them for man-in-the-middle attacks against anti-governments activists in Iran.
Using our own Certification Authority, we just ask you to trust A/I, which is something that, if you're using one of our services, you're probably already doing. Once you connect to our sites and you check the certificate information to be issued by our CA (more on this later), you may be sure you're actually communicating with us with a good level of encryption. We'd like to underline again that this is not enough to ensure the privacy of your data, and tha you play a pivotal role in securing them using encryption and keeping your computing environment secure.
How to get rid of the annoying warning, and establish trust
To get rid of the warning you should simply download and install the SSL root certificate of our CA in your browser and your system. It won't harm you at all and won't interact with your browsing experience on the rest of the internet, but when navigating on our sites you'll see the usual, green locker icon in the address bar of your browser, and you won't have to click through an annoying warning.
Unfortunately at the moment we're not able to offer to our users an easy and reliable way to ensure you the authenticity the root certificate you download here (if did not install it until now, please do it!). So we decided to ask you to follow the "trust on first use" model: you should trust the connection to A/I not to be messed with by an external source just now, when you have to trust that the server offering you the certificate is really our one, and not some Man-In-The-Middle government run proxy without proper verification. Once you've downloaded and installed the CA, the trust relationtip has been established and you will be guaranteed to have a secure connection to all our websites when using https. If you want to be sure that no "trusted" third party will eavesdrop your communications, we suggest you install a browser plugin like Certificate Patrol that will help you control any suspect changes in the certificates. This small steps will guarantee you a level of security that we could not achieve without the small inconvenience of downloading and installing a certificate.