Results 1 to 18 of 18
  1. #1
    Join Date
    Jun 2002
    Posts
    186

    anyone with Geotrust Certificate, pls help.

    Geotrust is well known for not validating the identity of the ssl applicant for their ssl certs. but I had a look at one of their certificate, actually the one on their website and the ssl cert says:


    "This certificate is intended to:
    Ensures the identity of a remote computer"

    Why is there inconsistency between what they say in their cert and what they do? A user who doesn't know what Geotrust does/doesn't do will believe that the website has been authenticated and trust the website.

    Where does this leave the buyer of their Certificate as the message we will be giving to our customers who visits our site would be a wrong message. Where would this leave us for displaying a certificate on our website with a message that we know is wrong?

    Anyone, who has Geotrust certs can you pls check and let the forum know what it says. I am trying to establish if they have been differentiating between validated SSL cert by switching off this message or not.

    thanks

    hosty

  2. #2
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    It ensures that the domain name you see in the URL input box of your browser is the same as the one you are viewing in your browser. This is very important.

    I believe that the wording:

    Code:
    Ensures the identity of a remote computer
    Is very accurate and precise.
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

  3. #3
    Join Date
    Jun 2002
    Posts
    186
    Originally posted by Ahmad
    It ensures that the domain name you see in the URL input box of your browser is the same as the one you are viewing in your browser. This is very important.

    I believe that the wording:

    Code:
    Ensures the identity of a remote computer
    Is very accurate and precise.
    Thanks for the reply Ahmad. The question is what is meant with the word "identity". Also, what this means to a user? Do users associate Identity with a domain name or a company? If it meant the domain name, why don't they simply state that "ensures the domain name......." rather than "identity"?

    So far this was not questioned because everyone was validating the company so whatever identity meant (either the domain name or the company) was verified anyway. But Geotrust do NOT validate the company in their SSL products yet still use the same wording that has been used by other CAs that means"both domain name and company identity assured"

    This might have some serious legal implication both on Geotrust and the customers who are displaying these as it could be misleading to the end users (i ain't no lawyer just my view). Afterall end users are used to interpreting "Ensures the identity of a remote computer" as validation of both domain name and legitimacy of the company who obtained that cert.

    thanks
    hosty

  4. #4
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    Code:
    Ensures the identity of a remote computer
    It is obviously talking about the identity of a "remote computer". Not a person, not a host, not a company, just that the computer is the right one for the specified domain.

    It prevents a kind of attack, where somebody can hack into the DNS server and change the A records of a popular secure shop or website to point to his own computer rather than the real companies computer. So it DOES ensure the identity of a remote computer.

    What? Your RSA guy didn't know that?
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

  5. #5
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    Originally posted by hosty
    But Geotrust do NOT validate the company in their SSL products yet still use the same wording that has been used by other CAs that means"both domain name and company identity assured"
    This is obviously the other CA's mistake, as THEY are the ones that used a wrong wording for what they offer.
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

  6. #6
    Join Date
    Jun 2002
    Posts
    186
    Originally posted by Ahmad


    This is obviously the other CA's mistake, as THEY are the ones that used a wrong wording for what they offer.
    Ahmad

    this would be like you buying a car from a supplier and the supplier, as it happens, does NOT include the engine with the car and then me saying to you that its other Car suppliers fault to make you expect an engine with a car

    As I stated earlier, until now the word Identity meant both things (Validated Identity of the Merchant and Validated the Domain name) and we did not need to differentiate, but Geotrust by NOT validating the applicant's identity is leaving, lets say the engine, out and if nothing ethicly should differentiate its product by making the wording clearer and do not exploit people's understandin of the word Identity.

    If you are saying that the word Identity is what they refer to a domain name, then why didn't just say domain name? or Why doesn't Geotrust change to wording to say "domain name" rather than Identity? To make sure to differentiate their non-validated SSL certificates?

    Internet is a very confusing medium for an average user as it is. We expect to create an online economy by improving ease of use and confidence of these average users. We can only do that by trying to make things simpler for them and not even more confusing. Just like the above example, you don't want start checking each component, the engine, the tyres, the exauhst etc when buying a car, it would make buying a car a hellish experience. It took the industry 7 years to educate and convince the users to trust the yellow padlock (SSL) because it meant the identity of the merchant was validated when you saw the padlock and your information was secured. Now changing all this perception??? Where will it leave the end user?

    My point is: The wording in SSL certificates meant something for last 7 years (rightly or wrongly). It meant the merchant Identity was validated and the information was secure. Now we have a company who disrespects this User Perception in order to make a quick buck! Its great for them, but where does this leave everybody else who rely on these users to spend money online????

    In my opinion Geotrust have changed the meaning of what that Yellow Padlock means to the user. Hence I suggest they should try to differentiate their non-validated SSL certificate by NOT using the yellow padlock or at least some effort in differentiating their certificates by using correct wording in their certs. Because the meaning of Yellow Padlock is NOT what Geotrust is selling.

    Hosty
    Last edited by hosty; 09-07-2002 at 06:18 AM.

  7. #7
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    I don't think that the car analogy applies here. The word car itself is nothing as consice as a sentence like:
    Code:
    Ensures the identity of a remote computer
    If all the car manufacturers agree on this definition for cars:

    Code:
    An outer metal body on four wheels.
    Then, you can use that sentence for a similar analogy.

    As I said, the certificate DOES ensure the identity of a remote computer.

    If you want to alter the meaning of that concise statement, you better provide an acceptable alternative for certificates that ensure the identity of a remote computer.

    Once you do that, I will have something else to say.
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

  8. #8
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    Originally posted by hosty

    Ahmad

    this would be like you buying a car from a supplier and the supplier, as it happens, does NOT include the engine with the car and then me saying to you that its other Car suppliers fault to make you expect an engine with a car
    Already answered that in the last post.


    As I stated earlier, until now the word Identity meant both things (Validated Identity of the Merchant and Validated the Domain name) and we did not need to differentiate, but Geotrust by NOT validating the applicant's identity is leaving, lets say the engine, out and if nothing ethicly should differentiate its product by making the wording clearer and do not exploit people's understandin of the word Identity.
    If the word "Identity" was in a very loose context like you are saying, your argument would stand. But I see it is very concise:

    Code:
    identity of a remote computer
    It doesn't say the identity of a good standing company, or even of a company. It could have been a personal remote computer, or a computer for any other kind of organization, like a free mail service. If you think your certificates are so special, then you must include more information about what your certificate ensures more than the validity of a remote computer. Ensuring the validity of a remote computer (be it a personal or a business one) is the least any certificate can provide. So any CA is basicly providing that (or more), but not less than that.


    If you are saying that the word Identity is what they refer to a domain name, then why didn't just say domain name? or Why doesn't Geotrust change to wording to say "domain name" rather than Identity? To make sure to differentiate their non-validated SSL certificates?
    You mean they must say:
    Code:
    Ensures the domain name of a remote computer
    This is a very inaccurate statement. The QuickSSL certificate ensures that the remote server is what it claims to be: the server of the domain you typed in the URL box. When I type hotmail.com I don't expect giving away my CC info anywhere, still I will be sure that the server I'm contacting is hotmail.com's server (regardless of what hotmail.com is).

    -- more to come later --
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

  9. #9
    Join Date
    Nov 2000
    Posts
    78

    Re: anyone with Geotrust Certificate, pls help.

    Originally posted by hosty
    Anyone with geotrust certificate, please help

    hosty
    Since it's hard for you to ask them directly, why don't you contact www.palm.com , they use geotrust and I'm sure they will be more than pleased to help you.

  10. #10
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    To make the long story short. Just because you looked at some paper that verifies the existance of the business or person specified in the domain name records doesn't mean that it is safe to deal with them. They must be trustworthy, and that you don't verify.

    I trust Amazon.com. I don't care if they were called Amazon.com LLC or Amazon, Inc.

    If there was another domain I don't trust, then it wouldn't matter if they were a real company or not. It could have been a shelf company from any county for that matter, or you don't give certificates to those?

    If I visit any website and see the padluck, and I pay more than $5k for a design project. Then suddenly the company disappears. Will any CA pay me the money back?

    Regarding the yellow padluck, it is implemented by browser manufacturers to have a very specific meaning: a secure connection. It doesn't mean that the other end is a trustworthy company. You were not "educating" people when you were telling them that the yellow padluck means that the company you are dealing with are trustworthy.

    This has been long known, and that is why trust companies provide extra kinds of clickable logos that you can have in your website.

    If you don't feel OK about it, then you must contact browsers manufacturers and ask them to make a rusty padluck instead of the yellow one, for sites signed by certificates you don't like.
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

  11. #11
    Join Date
    Jun 2002
    Posts
    186
    Originally posted by Ahmad
    To make the long story short. Just because you looked at some paper that verifies the existance of the business or person specified in the domain name records doesn't mean that it is safe to deal with them. They must be trustworthy, and that you don't verify.

    I trust Amazon.com. I don't care if they were called Amazon.com LLC or Amazon, Inc.

    If there was another domain I don't trust, then it wouldn't matter if they were a real company or not. It could have been a shelf company from any county for that matter, or you don't give certificates to those?

    If I visit any website and see the padluck, and I pay more than $5k for a design project. Then suddenly the company disappears. Will any CA pay me the money back?

    Regarding the yellow padluck, it is implemented by browser manufacturers to have a very specific meaning: a secure connection. It doesn't mean that the other end is a trustworthy company. You were not "educating" people when you were telling them that the yellow padluck means that the company you are dealing with are trustworthy.

    This has been long known, and that is why trust companies provide extra kinds of clickable logos that you can have in your website.

    If you don't feel OK about it, then you must contact browsers manufacturers and ask them to make a rusty padluck instead of the yellow one, for sites signed by certificates you don't like.
    I agree about trustworthiness of the business, this is a different ball game alltogether. My earliers statements all relate to "existance of an entity" rather than their trustworthiness. This is a very serious issue that is yet to be addressed on the Internet. In real world you don't get your money back if a shop frauds, do you? Why should internet be different? Even though I agree we should be armed with better information so that we can make an informed decision before we take the risk.

    About clickable logos: how do you know they are not fake? How do you verify the very thing that is trying to give you verification? The problems on internet and how you can establish trust is huge. This should be a different discussion point for a different thread.

    However, I agree 100% that SSL protocol was not intended to offer Identity Assurance for the end entity. BUT, the implementation of SSL and how SSL certs are issued over the years meant that SSL Certs had two meanings to end user: One their information is secure, two: the company they are dealing with does exist and legitimate (nothing to do with their trustworthiness). So do you agree that this is what an average user's perception is or not?

    Only the knowledgable users know SSL as a pure encryption link. Other average users have more expectations. That is why SSL providers (majority anyway) still validate the company when they apply for an SSL cert. Does this mean that the system is fool proof, of course not! You will never ever have a fool proof system but its all about putting more barriers for fraud. Now, to fraud using SSL and to obtain an SSL cert all you need is a domain name. So average people will (rightly or wrongly) trust the non validated SSL cert for thinking that the identity of the website they visit validated.

    In an environment where it is VERY easy to fraud, we need to introduce better technologies and NOT lower barriers for fraud.

    hosty

  12. #12
    Join Date
    Aug 2000
    Location
    Sheffield, South Yorks
    Posts
    3,627
    I've not read all of this thread, but I know GeoTrust validated our ID for our Wildcard and for our TureBusiness ID (through OpenSRS) as they required a copy of our certificate of incorporation.

    Thanks,
    Karl Austin :: KDAWS.com
    The Agency Hosting Specialist :: 0800 5429 764
    Partner with us and free-up more time for income generating tasks

  13. #13
    Join Date
    Nov 2000
    Posts
    78
    Originally posted by KDAWebServices
    I've not read all of this thread, but I know GeoTrust validated our ID for our Wildcard and for our TureBusiness ID (through OpenSRS) as they required a copy of our certificate of incorporation.

    Thanks,
    Karl

    You just saved yourself a lot of grief by not reading the garbage posted by the character hosty, who so far has done nothing more but exhibit signs of low IQ.
    Last edited by Marshall; 09-10-2002 at 08:34 AM.

  14. #14
    Join Date
    Jun 2002
    Posts
    186
    Originally posted by KDAWebServices
    I've not read all of this thread, but I know GeoTrust validated our ID for our Wildcard and for our TureBusiness ID (through OpenSRS) as they required a copy of our certificate of incorporation.

    Thanks,
    Karl, thanks for your post. However, as stated the issue of non-validation relate to geotrust quickssl certs only. We are aware that they validate the company if you buy one of their identity offering. However, if you just buy quickssl cert then they don't validate the company and this is a big issue and will devalue what that yellow padlock means to an average user.

    thanks

    hosty

  15. #15
    Join Date
    Jun 2002
    Posts
    186
    Originally posted by Marshall

    Karl

    You just saved yourself a lot of grief by not reading the garbage posted by the character hosty, who so far has done nothing more but exhibit signs of low IQ.

    Marshall (Geotrust CEO)

    Do not mislead people. YOU DO NOT VALIDATE THE COMPANY FOR CUSTOMERS WHO ONLY BUY QUICKSSL.
    Do you?

    Geotrust website says you DO NOT.
    You are trying to mislead people in this thread by pointing to your other customers who have purchased Identity Logos (Truebusiness ID).

    Here is a Direct Question:
    DO YOU VALIDATE THE EXISTANCE OR LEGITIMATCY OF THE COMPANY WHEN THEY APPLY FOR A QUICKSSL ONLY?

    A simple yes or no will do. Thanks.



    Karl, thanks for your post. But as you will see, the point I am making is when geotrust sells Quickssl on its own they do not validate the company who applied for it. And this makes the Yellow Padlock mean something other than what it meant for last 7 years! This is a very dangerous practice and highly slated by the industry, see the Gartner report. Geotrust does not give a sh*t about what happens to e-commerce as long as they make their quick buck before they go out of business. But us (the hosting companies who rely on e-commerce) on the hand will directly suffer from the mess Geotrust has caused. The meaning of the yellow padlock to an average user is two things (rightly or wrongly):

    1)information is secure etc
    2)identity of the website owner has been validated (ie, yes they exist)

    That is what an average user thinks when they see that padlock and thanks to that yellow padlock we have managed to establish some e-commerce. But, likes of Geotrust coming to market and changing that perception and do not validate the existence of the applicant’s company etc will reduce the barrier to fraud and reduce the confidence that the users have placed on that yellow padlock. This will directly effect us, people who rely on e-commerce!

    Why are we letting Geotrust suck the confidence out of the market, just because they want to make money? Thawte managed to do it without fuc*ing up the market, Comodo is doing the same again without Fuc*ing up the market.

    So, Why should we let Geotrust ruin the perception and confidence of that yellow padlock, just because they want to make a quick buck?

    hosty
    Last edited by hosty; 09-10-2002 at 02:58 PM.

  16. #16
    Join Date
    Nov 2000
    Posts
    78
    Hosty

    You keep bringing up Comodo for some reason, although I already explained to you that they do not provide security due to them being in the UK where the CAs are subject to the RIP act.
    Businesses and individuals looking for security and privacy will never use Comodo if they knew anything about the mentioned legislation.

  17. #17
    Join Date
    Jun 2002
    Posts
    186
    Originally posted by Marshall
    Hosty

    You keep bringing up Comodo for some reason, although I already explained to you that they do not provide security due to them being in the UK where the CAs are subject to the RIP act.
    Businesses and individuals looking for security and privacy will never use Comodo if they knew anything about the mentioned legislation.
    Come on Marshall (Geotrust CEO) answer the question, Don't you guys never answer any questions? Or is it not in your interest to tell people the FACTS

    here is the question again:

    DO YOU VALIDATE THE EXISTANCE OR LEGITIMATCY OF THE COMPANY WHEN THEY APPLY FOR A QUICKSSL ONLY?

    A simple yes or no will do. Thanks.

    Hosty

  18. #18
    I cannot agree more with hosty.

    Geotrust publish all sorts of inflated figures about the market they are taking away from other CA's etc. (which they are, but not the extent they publish...) and they are running around the net feeding people propaganda that authentication means nothing, which is bollocks.

    Have a look at the (de facto?) netcraft figures and see how they differ to the ones geotrust publish, and I often wonder what their marketing dept. take us customers for...

    Validation of a company is essential if you want to trust that entity, as dealing with someone whose 'history' you do now know is decidedly dodgy.

    Good on ya hosty, it's a pro choice world but I think ppl need to be able to make informed decisions.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •