Results 1 to 18 of 18
-
09-04-2002, 02:33 PM #1SSL Troll
- Join Date
- Jun 2002
- Posts
- 186
anyone with Geotrust Certificate, pls help.
Geotrust is well known for not validating the identity of the ssl applicant for their ssl certs. but I had a look at one of their certificate, actually the one on their website and the ssl cert says:
"This certificate is intended to:
Ensures the identity of a remote computer"
Why is there inconsistency between what they say in their cert and what they do? A user who doesn't know what Geotrust does/doesn't do will believe that the website has been authenticated and trust the website.
Where does this leave the buyer of their Certificate as the message we will be giving to our customers who visits our site would be a wrong message. Where would this leave us for displaying a certificate on our website with a message that we know is wrong?
Anyone, who has Geotrust certs can you pls check and let the forum know what it says. I am trying to establish if they have been differentiating between validated SSL cert by switching off this message or not.
thanks
hosty
-
09-05-2002, 12:15 AM #2Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
It ensures that the domain name you see in the URL input box of your browser is the same as the one you are viewing in your browser. This is very important.
I believe that the wording:
Code:Ensures the identity of a remote computer
-
09-05-2002, 05:01 AM #3SSL Troll
- Join Date
- Jun 2002
- Posts
- 186
Originally posted by Ahmad
It ensures that the domain name you see in the URL input box of your browser is the same as the one you are viewing in your browser. This is very important.
I believe that the wording:
Code:Ensures the identity of a remote computer
So far this was not questioned because everyone was validating the company so whatever identity meant (either the domain name or the company) was verified anyway. But Geotrust do NOT validate the company in their SSL products yet still use the same wording that has been used by other CAs that means"both domain name and company identity assured"
This might have some serious legal implication both on Geotrust and the customers who are displaying these as it could be misleading to the end users (i ain't no lawyer just my view). Afterall end users are used to interpreting "Ensures the identity of a remote computer" as validation of both domain name and legitimacy of the company who obtained that cert.
thanks
hosty
-
09-06-2002, 01:46 PM #4Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
Code:Ensures the identity of a remote computer
It prevents a kind of attack, where somebody can hack into the DNS server and change the A records of a popular secure shop or website to point to his own computer rather than the real companies computer. So it DOES ensure the identity of a remote computer.
What? Your RSA guy didn't know that?
-
09-06-2002, 01:48 PM #5Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
Originally posted by hosty
But Geotrust do NOT validate the company in their SSL products yet still use the same wording that has been used by other CAs that means"both domain name and company identity assured"
-
09-07-2002, 06:08 AM #6SSL Troll
- Join Date
- Jun 2002
- Posts
- 186
Originally posted by Ahmad
This is obviously the other CA's mistake, as THEY are the ones that used a wrong wording for what they offer.
this would be like you buying a car from a supplier and the supplier, as it happens, does NOT include the engine with the car and then me saying to you that its other Car suppliers fault to make you expect an engine with a car
As I stated earlier, until now the word Identity meant both things (Validated Identity of the Merchant and Validated the Domain name) and we did not need to differentiate, but Geotrust by NOT validating the applicant's identity is leaving, lets say the engine, out and if nothing ethicly should differentiate its product by making the wording clearer and do not exploit people's understandin of the word Identity.
If you are saying that the word Identity is what they refer to a domain name, then why didn't just say domain name? or Why doesn't Geotrust change to wording to say "domain name" rather than Identity? To make sure to differentiate their non-validated SSL certificates?
Internet is a very confusing medium for an average user as it is. We expect to create an online economy by improving ease of use and confidence of these average users. We can only do that by trying to make things simpler for them and not even more confusing. Just like the above example, you don't want start checking each component, the engine, the tyres, the exauhst etc when buying a car, it would make buying a car a hellish experience. It took the industry 7 years to educate and convince the users to trust the yellow padlock (SSL) because it meant the identity of the merchant was validated when you saw the padlock and your information was secured. Now changing all this perception??? Where will it leave the end user?
My point is: The wording in SSL certificates meant something for last 7 years (rightly or wrongly). It meant the merchant Identity was validated and the information was secure. Now we have a company who disrespects this User Perception in order to make a quick buck! Its great for them, but where does this leave everybody else who rely on these users to spend money online????
In my opinion Geotrust have changed the meaning of what that Yellow Padlock means to the user. Hence I suggest they should try to differentiate their non-validated SSL certificate by NOT using the yellow padlock or at least some effort in differentiating their certificates by using correct wording in their certs. Because the meaning of Yellow Padlock is NOT what Geotrust is selling.
HostyLast edited by hosty; 09-07-2002 at 06:18 AM.
-
09-07-2002, 11:56 AM #7Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
I don't think that the car analogy applies here. The word car itself is nothing as consice as a sentence like:
Code:Ensures the identity of a remote computer
Code:An outer metal body on four wheels.
As I said, the certificate DOES ensure the identity of a remote computer.
If you want to alter the meaning of that concise statement, you better provide an acceptable alternative for certificates that ensure the identity of a remote computer.
Once you do that, I will have something else to say.
-
09-07-2002, 12:41 PM #8Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
Originally posted by hosty
Ahmad
this would be like you buying a car from a supplier and the supplier, as it happens, does NOT include the engine with the car and then me saying to you that its other Car suppliers fault to make you expect an engine with a car
As I stated earlier, until now the word Identity meant both things (Validated Identity of the Merchant and Validated the Domain name) and we did not need to differentiate, but Geotrust by NOT validating the applicant's identity is leaving, lets say the engine, out and if nothing ethicly should differentiate its product by making the wording clearer and do not exploit people's understandin of the word Identity.
Code:identity of a remote computer
If you are saying that the word Identity is what they refer to a domain name, then why didn't just say domain name? or Why doesn't Geotrust change to wording to say "domain name" rather than Identity? To make sure to differentiate their non-validated SSL certificates?
Code:Ensures the domain name of a remote computer
-- more to come later --
-
09-07-2002, 10:37 PM #9Junior Guru Wannabe
- Join Date
- Nov 2000
- Posts
- 78
Re: anyone with Geotrust Certificate, pls help.
Originally posted by hosty
Anyone with geotrust certificate, please help
hosty
-
09-08-2002, 10:15 AM #10Web Hosting Master
- Join Date
- Jan 2002
- Location
- Kuwait
- Posts
- 679
To make the long story short. Just because you looked at some paper that verifies the existance of the business or person specified in the domain name records doesn't mean that it is safe to deal with them. They must be trustworthy, and that you don't verify.
I trust Amazon.com. I don't care if they were called Amazon.com LLC or Amazon, Inc.
If there was another domain I don't trust, then it wouldn't matter if they were a real company or not. It could have been a shelf company from any county for that matter, or you don't give certificates to those?
If I visit any website and see the padluck, and I pay more than $5k for a design project. Then suddenly the company disappears. Will any CA pay me the money back?
Regarding the yellow padluck, it is implemented by browser manufacturers to have a very specific meaning: a secure connection. It doesn't mean that the other end is a trustworthy company. You were not "educating" people when you were telling them that the yellow padluck means that the company you are dealing with are trustworthy.
This has been long known, and that is why trust companies provide extra kinds of clickable logos that you can have in your website.
If you don't feel OK about it, then you must contact browsers manufacturers and ask them to make a rusty padluck instead of the yellow one, for sites signed by certificates you don't like.
-
09-08-2002, 07:30 PM #11SSL Troll
- Join Date
- Jun 2002
- Posts
- 186
Originally posted by Ahmad
To make the long story short. Just because you looked at some paper that verifies the existance of the business or person specified in the domain name records doesn't mean that it is safe to deal with them. They must be trustworthy, and that you don't verify.
I trust Amazon.com. I don't care if they were called Amazon.com LLC or Amazon, Inc.
If there was another domain I don't trust, then it wouldn't matter if they were a real company or not. It could have been a shelf company from any county for that matter, or you don't give certificates to those?
If I visit any website and see the padluck, and I pay more than $5k for a design project. Then suddenly the company disappears. Will any CA pay me the money back?
Regarding the yellow padluck, it is implemented by browser manufacturers to have a very specific meaning: a secure connection. It doesn't mean that the other end is a trustworthy company. You were not "educating" people when you were telling them that the yellow padluck means that the company you are dealing with are trustworthy.
This has been long known, and that is why trust companies provide extra kinds of clickable logos that you can have in your website.
If you don't feel OK about it, then you must contact browsers manufacturers and ask them to make a rusty padluck instead of the yellow one, for sites signed by certificates you don't like.
About clickable logos: how do you know they are not fake? How do you verify the very thing that is trying to give you verification? The problems on internet and how you can establish trust is huge. This should be a different discussion point for a different thread.
However, I agree 100% that SSL protocol was not intended to offer Identity Assurance for the end entity. BUT, the implementation of SSL and how SSL certs are issued over the years meant that SSL Certs had two meanings to end user: One their information is secure, two: the company they are dealing with does exist and legitimate (nothing to do with their trustworthiness). So do you agree that this is what an average user's perception is or not?
Only the knowledgable users know SSL as a pure encryption link. Other average users have more expectations. That is why SSL providers (majority anyway) still validate the company when they apply for an SSL cert. Does this mean that the system is fool proof, of course not! You will never ever have a fool proof system but its all about putting more barriers for fraud. Now, to fraud using SSL and to obtain an SSL cert all you need is a domain name. So average people will (rightly or wrongly) trust the non validated SSL cert for thinking that the identity of the website they visit validated.
In an environment where it is VERY easy to fraud, we need to introduce better technologies and NOT lower barriers for fraud.
hosty
-
09-09-2002, 04:29 PM #12Web Hosting Master
- Join Date
- Aug 2000
- Location
- Sheffield, South Yorks
- Posts
- 3,627
I've not read all of this thread, but I know GeoTrust validated our ID for our Wildcard and for our TureBusiness ID (through OpenSRS) as they required a copy of our certificate of incorporation.
Thanks,Karl Austin :: KDAWS.com
The Agency Hosting Specialist :: 0800 5429 764
Partner with us and free-up more time for income generating tasks
-
09-09-2002, 07:42 PM #13Junior Guru Wannabe
- Join Date
- Nov 2000
- Posts
- 78
Originally posted by KDAWebServices
I've not read all of this thread, but I know GeoTrust validated our ID for our Wildcard and for our TureBusiness ID (through OpenSRS) as they required a copy of our certificate of incorporation.
Thanks,
You just saved yourself a lot of grief by not reading the garbage posted by the character hosty, who so far has done nothing more but exhibit signs of low IQ.Last edited by Marshall; 09-10-2002 at 08:34 AM.
-
09-10-2002, 02:43 PM #14SSL Troll
- Join Date
- Jun 2002
- Posts
- 186
Originally posted by KDAWebServices
I've not read all of this thread, but I know GeoTrust validated our ID for our Wildcard and for our TureBusiness ID (through OpenSRS) as they required a copy of our certificate of incorporation.
Thanks,
thanks
hosty
-
09-10-2002, 02:49 PM #15SSL Troll
- Join Date
- Jun 2002
- Posts
- 186
Originally posted by Marshall
Karl
You just saved yourself a lot of grief by not reading the garbage posted by the character hosty, who so far has done nothing more but exhibit signs of low IQ.
Marshall (Geotrust CEO)
Do not mislead people. YOU DO NOT VALIDATE THE COMPANY FOR CUSTOMERS WHO ONLY BUY QUICKSSL.
Do you?
Geotrust website says you DO NOT.
You are trying to mislead people in this thread by pointing to your other customers who have purchased Identity Logos (Truebusiness ID).
Here is a Direct Question:
DO YOU VALIDATE THE EXISTANCE OR LEGITIMATCY OF THE COMPANY WHEN THEY APPLY FOR A QUICKSSL ONLY?
A simple yes or no will do. Thanks.
Karl, thanks for your post. But as you will see, the point I am making is when geotrust sells Quickssl on its own they do not validate the company who applied for it. And this makes the Yellow Padlock mean something other than what it meant for last 7 years! This is a very dangerous practice and highly slated by the industry, see the Gartner report. Geotrust does not give a sh*t about what happens to e-commerce as long as they make their quick buck before they go out of business. But us (the hosting companies who rely on e-commerce) on the hand will directly suffer from the mess Geotrust has caused. The meaning of the yellow padlock to an average user is two things (rightly or wrongly):
1)information is secure etc
2)identity of the website owner has been validated (ie, yes they exist)
That is what an average user thinks when they see that padlock and thanks to that yellow padlock we have managed to establish some e-commerce. But, likes of Geotrust coming to market and changing that perception and do not validate the existence of the applicant’s company etc will reduce the barrier to fraud and reduce the confidence that the users have placed on that yellow padlock. This will directly effect us, people who rely on e-commerce!
Why are we letting Geotrust suck the confidence out of the market, just because they want to make money? Thawte managed to do it without fuc*ing up the market, Comodo is doing the same again without Fuc*ing up the market.
So, Why should we let Geotrust ruin the perception and confidence of that yellow padlock, just because they want to make a quick buck?
hostyLast edited by hosty; 09-10-2002 at 02:58 PM.
-
09-10-2002, 10:55 PM #16Junior Guru Wannabe
- Join Date
- Nov 2000
- Posts
- 78
Hosty
You keep bringing up Comodo for some reason, although I already explained to you that they do not provide security due to them being in the UK where the CAs are subject to the RIP act.
Businesses and individuals looking for security and privacy will never use Comodo if they knew anything about the mentioned legislation.
-
09-11-2002, 05:01 AM #17SSL Troll
- Join Date
- Jun 2002
- Posts
- 186
Originally posted by Marshall
Hosty
You keep bringing up Comodo for some reason, although I already explained to you that they do not provide security due to them being in the UK where the CAs are subject to the RIP act.
Businesses and individuals looking for security and privacy will never use Comodo if they knew anything about the mentioned legislation.
here is the question again:
DO YOU VALIDATE THE EXISTANCE OR LEGITIMATCY OF THE COMPANY WHEN THEY APPLY FOR A QUICKSSL ONLY?
A simple yes or no will do. Thanks.
Hosty
-
09-12-2002, 02:31 AM #18Newbie
- Join Date
- Feb 2002
- Posts
- 23
I cannot agree more with hosty.
Geotrust publish all sorts of inflated figures about the market they are taking away from other CA's etc. (which they are, but not the extent they publish...) and they are running around the net feeding people propaganda that authentication means nothing, which is bollocks.
Have a look at the (de facto?) netcraft figures and see how they differ to the ones geotrust publish, and I often wonder what their marketing dept. take us customers for...
Validation of a company is essential if you want to trust that entity, as dealing with someone whose 'history' you do now know is decidedly dodgy.
Good on ya hosty, it's a pro choice world but I think ppl need to be able to make informed decisions.