SSL certs – probably not worth the bits they’re printed on…

This failure of the trusted Certificate Authority (CA) “Comodo”:

http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/

highlights something that is becoming more apparent:

SSL certificates probably aren’t worth the bits they’re printed on.

Forgetting that there is a fairly regular stream of issues with the authorities, companies like GoDaddy issue certificates for all of $12 with nearly instantaneous issuance. That is, clearly there’s not much validation going on. Way back when it took days to get certificates issued, involved real paperwork, actual calls from issuers, and DUNS lookups, etc.

This may still be the case with organizations like Verisign, but given that for most browsers GoDaddy is equally trusted and that pretty much no one looks at the certificate signers, one weak authority essentially compromises the whole system.

The answer?

Certainly Extended Validation (EV) certificates help, though those are generally overpriced and end users for the most part don’t actually care (that is, for most of us, you’re still going to use non-EV sites regardless).

No, probably the answer is to not trust SSL certs as a metric of “identity”. Just because a site has a valid cert doesn’t mean that it’s a legitimate company or even actually is who it says it is. Instead you need to use other techniques – like Google searches to see if the site is a scam.

It should be otherwise, but essentially the keys have been given away. In many ways unfortunately at this point (at least for non-EV), signed certs are simply a “jab fee”. The browser may as well silently accept self signed certs – the cert’s true value is mostly for enabling encryption (and that doesn’t require a trusted authority).

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.