NotGiven wrote:
> I successfully installed openssl on hosted server. The host company says
> that offers no security or encryption unless I buy a certificate from them
> or a third party like verisign.
>
> If I try to open my site using httpS://, a prompt pops up telling me the
> cert is not certified by anyone and do I want to accept it.

This is standard (and "the" standard) behavior. Ie., do _you_ trust
that this is a legit cert?

> I accept it and there is a locked key in the browser.

And the protocol in the browser's url is https -- note the added "s"
(as in secure) -- so long as you're using ssl/https.

> Is the traffic encrypted (thus the tech is wrong)?

The tech is clueless :-) Try sniffing the traffic with ethereal.

> It is interesting in that the hosting company's login has the SAME prompt
> when logging in.

Anyone can generate a certificate with whatever location, etc. info
they please. The purpose of a "trusted" third party is to _verify_
that the certificate "owner" is who they say they are and that they are
relatively trustworthy (ie., sufficient score on credit report and/or
authorized to request certificate verification on behalf of the
organization).

For your own use (or a relatively small number of people) there is no
reason to obtain some
"seal of approval" from a third party. In fact, you might be surprised
how many organiztions have not renewed their expired certs.

hth,
prg