Hi

I would like your opinion about the future of SSL (not the protocol itself but the meaning of the Yellow Padlock) as far as what do users think when they see this yellow padlock? From our previous discussion we concluded two aspects of what this Yellow Padlock could mean to an end user

1)Does padlock mean your information secure?
2)Does padlock mean the company you see on that page can be trusted (ie at least they exist) because you see the yellow padlock?

And Frank (ffeingol) was kind enough to volunteer to run an online poll on a website that had internet users (buying goods etc) to ask the above questions (or something similar). We look forward to his results.

So, how will the future of SSL will shape up? Will SSL providers remove the Validation of a company (2) from their checks? If so how will this effect the end user perception? This issue of changing user perception directly effects e-commerce and us people who are earning living from these e-commerce companies (my opinion).

Your thoughts are greatly appreciated.

Thanks

Hosty

1)Does padlock mean your information secure?
2)Does padlock mean the company you see on that page can be trusted (ie at least they exist) because you see the yellow padlock?

So, how will the future of SSL will shape up? Will SSL providers remove the Validation of a company (2) from their checks? If so how will this effect the end user perception? This issue of changing user perception directly effects e-commerce and us people who are earning living from these e-commerce companies (my opinion).

..............

My view is that;
1. the padlock means the info. is secure
2. the company is trusted that you are dealing with ... they have been vetted, such that if they didn't exist as a legal entity they would not be allowed to have an SSL

If we remove the vetting ... then what is the point of SSL other than pure encryption.

BUT the end user doesn't even realise that the browser is readily open to abuse ....

SO..answer this one ... even if you have a padlock ... how can you today tell me that the padlock is authentic? You can't!

Nor if you click on the padlock that the cert details are correct... they could be faked by the fraudster....

I think the end-user perception is still that the "padlock" means they're purchasing with security.

But in reality, that's questionable.

1) Yes, the web page with the padlock on it is secured, but what happens to the data after that is a different question. Is the data securely tranmitted and stored ?

For all they know, their details could be transmitted via unsecured email, or stored in an unsecured online database.

2) The website could be using Shared SSL, which means the certificate belongs to the hosting provider. This means the merchant has not undergone any authenticity checks (at least as far as the certificate is conerned).

99.9% of the time the merchant using a shared SSL certificate will be a legitimate, above-board merchant that does exist.

... but of course there's always the odd exception.

Originally posted by choose another name
I think the end-user perception is still that the "padlock" means they're purchasing with security.

But in reality, that's questionable.

1) Yes, the web page with the padlock on it is secured, but what happens to the data after that

2) The website could be using Shared SSL,





Your point 2 ..That's a very good point!

I don't think the general public are trained to study the SSL cert... therfore they will never see the difference between the url they are on and the url specified in the SSL cert.

Bottom line, this is all pointing to the fact that the general public rely much more on the padlock than is really acceptable.

Surely, this is leaving a huge opening for fraud .... but, how can a fraudster get an SSL?

Shared SSL puts the web host in an awkward position doesn't it?

Originally posted by frank zorro
... Shared SSL puts the web host in an awkward position doesn't it?

Not really, as the web host is only providing a secure environment, they're NOT providing the merchant services.

And secure pages can be used for all sorts of other purposes (various types of customer input, logins & passwords, etc.). They're not solely used for the collection of credit card details.

It's the merchant services provider (Authorize.Net etc.) who processes the charges on behalf of the merchant, and it's therefore their responsibility to ensure the authenticity of the merchant. And you'll find their checks & procedures are a bit more stringent.

you'll find their checks & procedures are a bit more stringent.


..........

interesting ... are you saying that the web host has more stringent procedures than some CA's who actually issue the certs in the first place?

No, I'm not making any assertions about the checks required to get a certificate.

But with Shared SSL, the merchant doesn't need their own certificate.

The hosting provider has obtained the certificate themselves; they are the ones who've gone through the checks required to get it.

However it's just a secure environment they're providing.

The merchant still can't start racking up charges on credit card, unless they have their own merchant account.

And the checks & procedures required to obtain a merchant account (from providers like Authorize.net) do have a fair degree of stringency.

but a fraudster doesn't have a merchant account ..

they collect credit card details

so that means shared SSL is providing the fraudster a perfect environment to collect credit card numbers using SSL doesn't it?

It's also the customer's reponsibility to assess the legitimacy of the merchant.

As the saying goes, "Buyer Beware !"

There are checks that can be performed by the customer, even when purchasing over the internet.

Just like you don't hand cash to someone in the street for something, unless you know they're going to be there tomorrow if you need to return it.

The customer can perform the following checks from the "Contact Us" page:

* Does the merchant advertise a physical street address ?

* Does the post-code match the location of the physical street address ?

* Does the merchant advertise a telephone number ?

* Does the area code of the telephone number, match the location of the physical street address ?


If the customer really wants to check the merchant thoroughly, they can also perform these additional checks :

* Dial the advertised telephone number. Who answers, if anyone ?

* Is the advertised telephone number listed in the White Pages for that country ?

* Check the validity of the advertised "Company Name" in the relevant government register for that country.

I'm not sure where to check for US companies (anyone know ?), but this is where you check for UK & Australian companies :

UK: Companies House (http://www.companieshouse.gov.uk/)

Australia: ASIC (Australian Securities and Investments Commisson) (http://www.asic.gov.au/)

Originally posted by frank zorro
but a fraudster doesn't have a merchant account ...


They're going to need access to a merchant acocunt at some stage, otherwise they won't be much they'll be doing with the credit card numbers.

And how far do you go ?

If a customer uses their card to pay for a meal in a restaurant (where the waiter typically takes the card to the cashier before returning it to the customer's table), who's to say the cashier won't write down the card details & use them in a fraudulent way ?

The customer still has a responsibility to conduct their own reasonableness checks before handing over their card details.

And if their card details ARE used fraudulently, the customer only needs to check their statement, and inform their credit card provider promptly of the fraudulent charge (ie, initiate a charge-back), whereby that charge shall be swiftly reversed.

In most cases, charge-backs are performed at no cost to the customer, or with very limited liability (if the customer DOES have to pay anything, they'll be required to pay the first $50 only).

The merchant who processed the charge has to bear the reponsibility (and the cost) from charge-backs relating to the fraudulent use of cardholder details.

Regarding SSL, I'm sure a lot more merchants woud obtain their own dedicated certificicates if the cost was cheaper.

The vast majority of merchants are reputable, and would have no problem satifying the eligibility requirements for their own dedicated certificicate.

However, the certificate providers (Verisign etc.) use their certificates as a revenue-generating Cash Cow.

So merchants only opt for Shared SSL because it's more affordable.

Not to go overboard on the checks the customer can perform on a company before purchasing over the internet, but here's 2 more :

* Check the WHOIS register for the comapny's domain name. Check this at a domain name registrar (eg, register.com).

Do the contact details on the WHOIS record match the details on the company's Contact Us page on their website ?

* Are they using a free email provider (like Hotmail.com or Yahoo.com), or do they have a paid email provider ?

It's more safe to deal with a company using a paid email provider (most do).

Originally posted by frank zorro
... so that means shared SSL is providing the fraudster a perfect environment to collect credit card numbers using SSL doesn't it?

You could also assert that the U.S. Postal Service is providing fraudsters a PERFECTLY SECURE environment for the collection of credit card details, when customers order via post or mail order.

After all, many addresses are anonymous PO Boxes, or they may be overseas addresses.

But that doesn't mean we all blame the U.S. Postal Service, if the card details are used fraudulently.

It's up to the customer to always use their common-sense before handing over their card details, whoever the merchant is, and regardless of the transmission medium.

And if fraud does end up occuring, the customer doesn't lose out anyway, as the merchant bears the cost of any fraud-related charge-backs.

Originally posted by choose another name


You could also assert that the U.S. Postal Service is providing fraudsters a PERFECTLY SECURE environment for the collection of credit card details, when customers order via post or mail order.

After all, many addresses are anonymous PO Boxes, or they may be overseas addresses.

But that doesn't mean we all blame the U.S. Postal Service, if the card details are used fraudulently.

It's up to the customer to always use their common-sense before handing over their card details, whoever the merchant is, and regardless of the transmission medium.

And if fraud does end up occuring, the customer doesn't lose out anyway, as the merchant bears the cost of any fraud-related charge-backs.

Wow! useful thoughts:

On the point of webhosts being vulnerable to fraudsters using our shared ssl: Well, we have the power to stop them immediately where as ssl providers/CAs don't.

on the point of having all these different ways of verifying the website owner: Isn't part of what SSL is supposed to give us that comfort anyway?

"Regarding SSL, I'm sure a lot more merchants woud obtain their own dedicated certificicates if the cost was cheaper. "

but, if we are to loose the validation of identity angle of SSL what would buying your own dedicated certificate prove? Would it be fair to say that Not only does the certificate has to be cheap enough but this SSL should offer Security and identity assurance? Or if we want SSL to be just security no identity what do we do for assuring identity?

Frank Zorro's posting.......
"Bottom line, this is all pointing to the fact that the general public rely much more on the padlock than is really acceptable.

Surely, this is leaving a huge opening for fraud .... but, how can a fraudster get an SSL? "
............................

I agree that average user rely (rightly or wrongly) a lot on the yellow padlock.

........but, how can a fraudster get an SSL?.....

hmmmmm, a CA ;)

what is the easiest way to get an SSL for a fraudster though? What are the barriers for a fraudster to get an SSL?

A lot to feed our little grey cells here :eek:

hosty

Originally posted by hosty
... if we are to loose the validation of identity angle of SSL what would buying your own dedicated certificate prove? Would it be fair to say that Not only does the certificate has to be cheap enough but this SSL should offer Security and identity assurance? Or if we want SSL to be just security no identity what do we do for assuring identity? ...

Yes, I think a certificate provider SHOULD verify the identity of the applicant by requesting appropriate ID, before issuing the certificate.

But that can be done for MUCH LESS COST than they currently charge. They milk these certificates like a Cash Cow.

For instance (I just checked Verisign's site), their 128-bit Secure Site Pro certificate is US$895 for the first year alone !!

Does it really cost THAT MUCH to check a few simple details like someone's Address, Passport No., Social Security Number, Tax ID, business Registration. etc. ??

And they only have to check these details ONCE upon the initial registration. But they charge these exhorbitant fees year-after-year !!

So my assertion is that if these certificates were realistically priced (ie, significantly cheaper), then more merchants would purchase their own certificate, instead of relying on Shared SSL.

Until dedicated SSL certificates are affordable for all, consumers should keep in mind :

* Shared SSL provides security, but no identity checks.

* Dedicated SSL certificate provides BOTH security AND identity checks.

Consumers can check whether the certificate is Shared or Dedicated by the page's URL, or by double-clicking on the Padlock to get the Certificate Details (it's owner, etc.)

And keep these points in mind :

* A merchant using Shared SSL will still be a reputable merchant 99.9% of the time.

* Consumers can (and should) carry out other checks to verify the merchant's identity, such as checking the details on their Contact Us page (refer to my posts above).

* The merchant still needs a merchant account to charge their cardit card. Their merchant account provider will verify the merchant's identity before issung this.

* Credit card fraud is not solely the domain of the internet. It occurs in other mediums as well (face-to-face transactions, telephone, fax, mail order, lost wallets, etc.)

* Consumers are not liable for credit card fraud. The merchant bears the cost of any fraud-related transactions when a charge-back occurs.

Originally posted by choose another name
Until dedicated SSL certificates are affordable for all, consumers should keep in mind :

* Shared SSL provides security, but no identity checks.

* Dedicated SSL certificate provides BOTH security AND identity checks.

Consumers can check whether the certificate is Shared or Dedicated by the page's URL, or by double-clicking on the Padlock to get the Certificate Details (it's owner, etc.)

And keep these points in mind :

* A merchant using Shared SSL will still be a reputable merchant 99.9% of the time.



Interesting thoughts. It would be fair to say that in order to establish trust with the customer we need to offer below two aspects and we need to offer it without making the end user go thru too many steps (cos they wont!).

1)Security
2)Identity Assurance

AND we need to offer the above cost effectively (a price that an average merchant using shared SSL won't mind paying to have his/her identity assured and his/her customers secured, what that price is should be a whole new discussion on a whole new thread!)

And again it would be fair to say that the widely accepted mechanism to achieve the above 2 is by using SSL and making sure that SSL is only issued to identity assured entities. BUT with the recent developments in the SSL market, there are suppliers who will happily issue an SSL to anyone as long as they have a domain name. Where will this leave us? Are we reducing Barriers for a fraudster to fraud on an already very easy to fraud platform (the Internet)?

Thanks
Hosty

Until dedicated SSL certificates are affordable for all


i cant really see them getting much more 'affordable' than they already are.... $ 49 or less if you're reselling is very cheap for an SSL cert......

People need to wise up and understand that they're not going to get everything for $ 5 / mo......


Cheers,

Originally posted by jonny b


i cant really see them getting much more 'affordable' than they already are.... $ 49 or less if you're reselling is very cheap for an SSL cert......

People need to wise up and understand that they're not going to get everything for $ 5 / mo......


Cheers,

Well, I personally think that they should get cheaper than that, but I agree that $49 is acceptable enough for shared ssl users to get their own dedicated cert. But the issue is the reason why you would get your own dedicated one is because you want to increase confidence with the end user and prove that your identity is assured. How will the practices of NOT validating identity when issuing SSL effect this market? Should they still get the dedicated cert even though it doesn't give them what they want: identity assurance?

hosty

In this thread we have basically concluded that strong validation is essential, since the end users rely heavily on the "padlock"...

FreeSSL (advertised in this thread) does not deliver the validation required.... and since this was a GeoTrust advert ... neither does their QuickSSL product! So this suggestion is ludicrous and misses the point of the whole discussion.

The unfortunate thing IMHO for the end user, is that there are CAs out there that are selling SSL certs that are not validated ... The end user sees a padlock and 99percent of the time, does not click the padlock.

Is it fair to expect the end user to be trained to trust a Verisign issued cert and NOT a GeoTrust QuickSSL cert.... the certs don't say anything different (as picked up on a different thread recently).... not that they are read anyway!

Another amazing thing picked up on this thread for me ... is all the stuff an end user needs to do, to become comfortable with the web site in question.... surely, no average user will ever do this.... they will more likely run the fraud risk, knowing they will get their money back if there is a problem.

I am intrigued at what we can do to simplify web site authenticity for the end user ...

cause if they know they are on the right site ... they can trust the SSL padlock (as long as all issued SSLs are strongly validated)

We need to rid the market of weakly verified SSL for all our sakes.

How do we do this? What's web trust compliancy all about... will this protect the market?

Originally posted by frank zorro
In this thread we have basically concluded that strong validation is essential, since the end users rely heavily on the "padlock"...

......Is it fair to expect the end user to be trained to trust a Verisign issued cert and NOT a GeoTrust QuickSSL cert.... the certs don't say anything different (as picked up on a different thread recently).... not that they are read anyway!

......cause if they know they are on the right site ... they can trust the SSL padlock (as long as all issued SSLs are strongly validated)

We need to rid the market of weakly verified SSL for all our sakes.

How do we do this? ....

Frank, you have summarised the thread well. We CANNOT and SHOULD NOT allow one of the very few things on the internet that gives consumers confidence, the SSL Padlock, to be a tool for a "get rich quick" company. Afterall, there are other companies who have got into market in the past and there are some newer ones getting into market place offering very cost effective certificates while offering proper validation at sensible cost (certain cases cheaper than certificates without validation!).

hosty

Originally posted by frank zorro
Is it fair to expect the end user to be trained to trust a Verisign issued cert and NOT a GeoTrust QuickSSL cert.... the certs don't say anything different (as picked up on a different thread recently).... not that they are read anyway!
Unlike Verisign, Geotrust has never embarassed itself by issuing two certificates to a person posing as a Microsoft employee last year. Next time you download an activex signed by Microsoft and certified by your beloved Verisign, make sure you run the proper checks as to not cause yourself a major headache.

Originally posted by Marshall

Unlike Verisign, Geotrust has never embarassed itself by issuing two certificates to a person posing as a Microsoft employee last year. Next time you download an activex signed by Microsoft and certified by your beloved Verisign, make sure you run the proper checks as to not cause yourself a major headache.

you don't issue code signing certs do you Marshall (Geotrust CEO)?

You don't even Validate the company when you issue quickssl certs, so how can you be embarassed if you never validate:confused:

For you to run the risk of issuing to a wrong company, you first NEED TO VALIDATE, just in case if you didn't know ;)

At least with Verisign, there is a warranty and insurance against F*ck ups. With Geotrust, as long as Geotrust gets its money, it doesn't matter if yellow padlock means sh*t all to anyone!

This is very irresponsible, short termist and selfish of Geotrust!


hosty

Have you heard of automatic validation?

In the case of quickssl the systems automatically verify that a certificate requester has appropriate administrative right to a web server’s domain, and that is what the customers want. For those looking for stronger validation, Geotrust offers True business ID.
People first and foremost want security, and that is what they get from the likes of Verisign and Geotrust.
Do you agree that there are certain CAs that do not even provide the basics due to their location as stated in a previous thread?

Originally posted by Marshall
Have you heard of automatic validation?


In the case of quickssl the systems automatically verify that a certificate requester has appropriate administrative right to a web server’s domain, and that is what the customers want. For those looking for stronger validation, Geotrust offers True business ID. (http://www.geotrust.com/true_businessid/order/index.htm)
People first and foremost want security, and that is what they get from the likes of Verisign and Geotrust.
Do you agree that there are certain CAs that do not even provide the basics due to their location as stated in a previous thread?

deceitful as ever. Automatic Validation ha? Validating what? Again you are being deceitful trying to deceive people to think that you offer "Validation" without explaning what that so called "automatic validation" does. IT DOES NOT VALIDATE THE COMPANY!!!!!

So you agree you don't validate the company. Now, why don't you differentiate your certificates from likes of Verisign because the meaning of that yellow padlock has now become different because you are effectively "selling a car without the engine"? An end user will put the same amount of trust into geotrust cert (wrongly so) that they are used to putting into a Verisign cert. This is deceitful.

Why don't you differentiate your certs saying that they DO NOT offer same level of trust because you have NOT VALIDATED the company? If people want just security (just like you said) why not differentiate your certificates saying this is just for security and you have not validated the company's existance? Just like a Class 1 personal certificate would say "Persona Not Validated". Why don't you say "Company NOT VALIDATED" in your certificates? This is a practice used by other CAs and it is only Geotrust who wishes to be deceitful and not differentiate.

If you want to sell just security (NOT VALIDATED SSL CERT), do so, we are not arguing about that. Our point is that you MUST differentiate your certificates from other Proper Certificates that offers the Full Meaning of what an SSL padlock means to end user : Security and Validation of Company/Entity!

The practice Geotrust employs when selling SSL cert is simply deceitful and you should correct it by identifying your certs as perhaps "Class 1 Company Not Validated" certs just like everyone does for Personal certs they issue when they don't validate the person. They put "Class 1 Persona Not Validated" in the certificate because they have only validated the existance of the email address using an email challange and not the Persona. You employ the same technique for SSL, you check the domain ownership but DO NOT VALIDATE the company. So what you should clearly state is: you offer "Class 1 Company Not Validated" certificates. Geotrust is NOT Selling "Class 3 certificates" as Class 3 requires a higher degree validation.

As I said, this is deceitful and will cause the end user to confuse and loose the trust they have in the yellow padlock!
Why is Geotrust doing it? Because they want to make a quick buck and they don't give a sh*t about what happens to user perception or e-commerce! By the time we feel the damage that Geotrust has caused, they will be well and truly gone with their money in their pocket and we will have to pick up the pieces!

Hosty

There does need to be a way to distinguish between CAs that do a thorough and proper validation, and those CAs that do little or none. Most users assume all are validated equally, which is obviously not the case.

However, for me, I don't care about validation. I'll check out the company myself. Just give me a cheap ssl encrypted certificate and a yellow padlock, and I'm happy.

As an aside, I use MSNTV browser to check compatibility. I figure if it works there, it's pretty compatible. Geotrust certificates don't work. Comodo's InstantSSL certificates work on that browser, as well as IE and NS on my computer.

Also, isn't some of that info on freessl.com site untrue. I noticed they say that chaining can cause problems; but if I'm not mistaken Verisign even does that at times, and I've never heard of that causing a problem.

Originally posted by chrisb

Also, isn't some of that info on freessl.com site untrue. I noticed they say that chaining can cause problems; but if I'm not mistaken Verisign even does that at times, and I've never heard of that causing a problem.
The problems mentioned are that of security. Since the security of a chain is weaker then the weakest link, the RA+CA model is less secure than either the RA or the CA no matter how strong the contract is between the two, the key here is understanding that trust is not transitive.
Verisign does not suffer from this problem because they represent both the RA and the CA.

Greetings:

"1) Does padlock mean your information secure?"

Maybe.

It means the information should be encrypted between the browser and the server, and back again.

It does not offer any guarantees as to how the server processes the information once received.

It does not offer any guarantees the information will be stored or not stored on the server which may be open for hackers.

It does not offer any guarantees that the information will be transmitted to other parties in a secure manner.

"2) Does padlock mean the company you see on that page can be trusted (ie at least they exist) because you see the yellow padlock?"

No.

It means they purchased a digital ID.

Even if they went through Verisign which claims to have the most extensive checks, it only means they company exists. It offers no proof that the products or services on the web site exist, are trust worthy, etc.

Thank you.

Originally posted by dynamicnet
Greetings:

"1) Does padlock mean your information secure?"

Maybe.

It means the information should be encrypted between the browser and the server, and back again.

It does not offer any guarantees as to how the server processes the information once received.

It does not offer any guarantees the information will be stored or not stored on the server which may be open for hackers.

It does not offer any guarantees that the information will be transmitted to other parties in a secure manner.

"2) Does padlock mean the company you see on that page can be trusted (ie at least they exist) because you see the yellow padlock?"

No.

It means they purchased a digital ID.

Even if they went through Verisign which claims to have the most extensive checks, it only means they company exists. It offers no proof that the products or services on the web site exist, are trust worthy, etc.

Thank you.

dynamicnet, thanks for your post.

I agree that ssl is no way the ultimate solution neither to security nor to trust problems we face today. But, its all about barriers to fraud and we need to be putting more barriers and not remove them.

As you have identified even SSL is not good enough, but whatever little ssl offers is more than having no ssl. And companies trying to make a quick buck destroying that little barrier we have is unacceptable. especially when there are other companies who are doing the same thing (ie: entering the market) as geotrust but without destroying what ssl is to end user.

hosty

Frank (ffeingol)

Did you get a chance to run the questionerre yet?

thanks

Hosty

Originally posted by chrisb

However, for me, I don't care about validation. I'll check out the company myself. Just give me a cheap ssl encrypted certificate and a yellow padlock, and I'm happy.

As an aside, I use MSNTV browser to check compatibility. I figure if it works there, it's pretty compatible. Geotrust certificates don't work. Comodo's InstantSSL certificates work on that browser, as well as IE and NS on my computer.

Also, isn't some of that info on freessl.com site untrue. I noticed they say that chaining can cause problems; but if I'm not mistaken Verisign even does that at times, and I've never heard of that causing a problem.

Chris, Since you are an educated user... I can understand why you don't need to trust the padlock ... especially since us in the top 1 percent of internet users know that fraudsters can copy the padlock image anyway!!! But, the average users ... like 99 percent of the 700 million users out there, are not that savy ...

It is therefore not correct to assume end users should do as you do ... for e-commerce to be successful, which is what we all want (especially those on this forum) ... end users need a quick, easy way to trust a site ... the SSL padlock is a big part of this

Having read more on this forum, I am very concerned where the SSL industry is heading .... if some CAs out there are set to destroy the value of the limited barriers we can put in place versus fraud .. then these "weakest links" need to be removed!

On a further note ... sorry for being ignorant and slipping out of the the top 1 percent category ... but what's MSNTV all about ... is it a significant user base that I should be concerned about?

Hi Frank,
I want the padlock and encryption. I just don't care about validation of the company. That's all. MSNTV supposedly has around a million users. Of course that's not much compared to IE and NS.

Ok, so if validation is throw out the window with certs, then the price should as well right?

Originally posted by ljprevo
Ok, so if validation is throw out the window with certs, then the price should as well right?


well that would be the theory.

But the point is can we afford to loose what little we have in terms of ability to establish trust and security with the end users? People argue that saying SSL was not invented to offer validation of the entity (website owner) and justify why they don't do validation. I agree SSL was not invented to do that. But this is irrelevant to a degree, the point is how it has been used for last 7-8 years! It has been used for both security and identity validation and this is what people expect from it. By removing the validation aspect of it, in time people will loose the confidence in e-commerce and this will effect us all.

The question is: "Why are some CAs (ssl providers) issuing certs without validation", "Who benefits from this apart from the CA?"

You might say there is a demand for it, but then I would say of course there would be, just like there would be a demand for fake IDs, fake Passports etc!

hosty

Originally posted by hosty

The question is: "Why are some CAs (ssl providers) issuing certs without validation", "Who benefits from this apart from the CA?"

You might say there is a demand for it, but then I would say of course there would be, just like there would be a demand for fake IDs, fake Passports etc!

hosty

Thanks Hosty ..

thats a classic ... fake passports ... of course fraudsters want these ... I like the analogy

So please explain how it is allowed that SSLs can be issued with no validation of the end entity, it is ludicrous

who can we take this to ... ICANN ? what body is there to protect the interests of the internet and e-commerce? Microsoft? Government?

Somebody surely has to do something? Or do we all sit around and let the padlock get destroyed along with the only real comfort factor end users currently enjoy?

I despair:confused:

Originally posted by frank zorro


Thanks Hosty ..

thats a classic ... fake passports ... of course fraudsters want these ... I like the analogy

So please explain how it is allowed that SSLs can be issued with no validation of the end entity, it is ludicrous

who can we take this to ... ICANN ? what body is there to protect the interests of the internet and e-commerce? Microsoft? Government?

Somebody surely has to do something? Or do we all sit around and let the padlock get destroyed along with the only real comfort factor end users currently enjoy?

I despair:confused:

Neal the Geotrust CEO was kind enough to spam this forum with the advert about freessl. apparently they are going to be offering the same certs as Comodo certs from Baltimore but cheaper. The question is why is Baltimore taking part in ruining SSL Infrastructure? Anyone from Baltimore reading this please respond:confused:

Thanks
Hosty