Why do browsers show cert warnings for Outlook Web Access 2007 by default?
You may wonder why OWA 2007 show cert warnings by default on most browsers. At the back of your mind, Microsoft has talked so much about trustworthy computing, and they must still do not get security.
Exchange team has gone back and forth on this issue many times. It is related to giving more security or better perception of security. There are a few routes that we have considered.
1. Do not require SSL by default
2. Require SSL by default, and install it with a self-signed cert.
3. Require SSL by default, and require admin actions to install a cert issued by CA
"Do not require SSL by default" gives better perception of security because browsers do not give cert warnings. However, it connects in clear text without any SSL encryption. Therefore, this option gives better perception of security without better security
"Require SSL by default, and install it with a self-signed cert." does not give better perception of security because cert warnings are shown on browsers. On the other hand, self-signed cert allows encryption to occur by default without any admin intervention.
"Require SSL by default, and require admin actions to install a cert issued by CA" seems to have the best of both worlds offered by option 1 and option 2. However, the downside is that admin has to purchase a cert from CA before getting OWA to work properly out of the box. Most probably, admin would turn off encryption via IIS, which result in lack of security as in option 1.
It comes down to a classic struggle between usability and security. On the spectrum of security and usability, option 3 ranks highest on security, option 2 ranks medium on both, and option 1 ranks highest on usability. After long discussions, Exchange team have decided to go with option 2 as a good balance between security and usability.
After you understand the rationale behind the design, that may convince you that indeed Exchange team have placed a lot of emphasis of security on Exchange 2007.