Andrews & Arnold Ltd
BRACKNELL
If you access our accounts, ordering or control pages you may find you get a warning on your browser that you are going to a secure site. You may also get a warning that the browser does not recognise the certificate authority.
A secure web site has a certificate which says who operates the site. But anyone could make up a certificate saying anything, so the certificate is digitally signed by a certificate authority (CA).
There are lots of certificate authorities, and your browser may have hundreds of CA Certificates (root certificates) loaded in to it automatically. This means your browser can check the signature on the certificate it gets from a secure web site.
We use a certificate authority called CAcert to sign our site certificate. However, this is not in most browsers by default. Hence a warning that the browser does not recognise it.
It is really a matter of principle. People trust their browser supplier to include root certificate authorities for them. People do not actually check any of the companies for which they have CA certificates in their browser. We believe there is nothing to suggest CAcert are any better or worse thae any other CA. The fact CAcert automate the whole process and only verify that someone controlling the domain has the certificate (by email to the same domain) means there is very little chance for error.
CAcert do not charge, where as most CAs charge a lot, every year, especially for a wildcard certificate which we use. Obviously we could pay, not a problem, but what are we paying for? All we want is our site to be secure. They often have onerous terms and conditions on the use of the certificate. Yet all they are doing is acting as a notary - signing that we control a web site.
The main thing is that our site is secure. Communications between your computer and our site is encrypted. This includes credit card information or bank details. The risk you take by ignoring warnings or trusting what you may think is an untrustworthy root CA, is that someone could be intercepting traffic and pretending to be our site in order to get your details.
You take this risk when dealing with any on-line ordering site. You have not personally checked the CA, or the supplier. How can you trust us? The certificate authority does not vouch for the reputation of the supplier - just that they are who they say they are and can afford the certificate. It is easier for a fraudster to set up a web site which has security certificates that do not give errors, and collect details on bogus ordering pages, than it is to start intercepting access to our web site.
On top of all of this, we normally deal by Direct Debit and not card for most purchases. To get Direct Debit facilities you do have to convince a bank to trust you - which is a lot harder than getting a web security certificate. The fact that we do Direct Debit should say a lot about us as an organisation - much more that which root CA we use. Direct debit on-line is very safe as you can always claw back the payments. So if someone did intercept our web site traffic and get your details you would not lose out.
So, if you get a warning, what can you do?
OK, if you really don't like it, feel free to call our sales or support departments on the phone instead of using the on-line pages. We operate 9am to 5pm, Monday to Friday. The phone number could be intercepted without your knowing, and there is no encryption to stop it being monitored. However, people have been trusting the telephone network with card and bank details for many years.
If you want to run your own secure web site, see CAcert for details of getting your own certificate. You need a domain name of your own (which we provide with our broadband service) and a secure web server (such as with our virtual hosting). CAcert is free.