The Register® — Biting the hand that feeds IT

SSL covers security embarrassments with EV figleaf

Paul Murphy

Personal certificates? 

Posted Monday 13th October 2008 14:52 GMT

Would it make any sense to have personal certificates?

It's probably one of those good ideas in principal where the reality falls short.

If banks gave you a certificate that you could then use to confirm who you are then the chance of someone impersonating you would be much less.

However any losses of money from your account would then be more difficult to blame on anyone else, though of course a bank insider could always be to blame.

How much would people be prepared to sell their certificate for? how long would they last? who would pay for them etc. etc.

ttfn

Ken Hagan

Make the banks take on the risk 

Posted Monday 13th October 2008 15:37 GMT

Sigh! Anyone got a list of "clueless certificate issuers" that I can blacklist?

At present, it seems that I give my credentials to <unknown> who *says* they will present them to my bank and say "give me some of his money" and then promptly forget them. To make this system work, I have to trust a near-unlimited number of <unknowns>. Certificates were supposed to eliminate this problem by getting the certificate issuers to vet the unknowns and I just had to vet the issuers, a much smaller population. Looks like that doesn't work anymore.

Perhaps *banks* should start issuing certificates to their business customers and perhaps the issuing bank should then be liable for electronic transactions validated by that cert. Naturally, the bank would pass the liability onto the business customer as part of their T&Cs, but it would give the consumer a realistic target to sue in the event of fraud and wouldn't expose the bank to any risk that they weren't already taking by having such a customer.

Eugene Goodrich

Sounds like planned obsolescence 

Posted Tuesday 14th October 2008 09:03 GMT

Paris Hilton

It was my understanding that when SSL certificates first came out, there was supposed to be identity validation done by the issuers in the first place.

Now that everyone knows SSL is required to send any bank/credit card info, word is coming out that current identity validation isn't what it should be.

The solution is a new "kind" of SSL certificate that you can buy from your certification authority for more money.

After paying top dollar for this new, green-bar EV kind (where presumably your extra thousand dollars or more presumably goes to the difficult task of them verifying you are... somebody), will there come a time when we hear tell that EV wasn't strictly followed by some of the vendors, and they're now roughly worthless, and there's a new color "EEVWRMI"* certificate being released?

(* Extended-Extended Validation We Really Mean It)

I believe this is a problem with certificates being used for two purposes: encryption _and_ identification. And the whole "trust" model requires that you basically trust someone you don't know, who is supposed to be trustworthy, to guarantee that someone else you don't know is somehow trustworthy. It's not surprising this has some holes.

Paris because, well, I don't need to say it, do I? ;)

Anonymous Coward

Sad Joke. 

Posted Thursday 16th October 2008 08:52 GMT

Flame

SSL should have been end-to-end encryption between website and customer, but some CAs used their position as a license to print money. All you need to do to prove sufficient ownership of a domain is to be able to modify web content or DNS records under that domain and the entire process can be automated, and should cost a few pence.

The EV thing is just CAs attempting to extend their money printing license for a few more years now that there is some limited competition.

Adding yet another way of identifying pucker sites serves only to confuse users further which will only make life easier for phishers.

I have yet to see a phishing site which used a valid SSL certificate, though I've seen plenty use tricks which will convince most users that have a secure connection. Frankly spending the time to buy a SSL certificate really doesn't fit into the phishing business model. why pay 100$ for a certificate when you can just throw in a few cheap social engineering tricks which will convince most users. The domain is only going to last 2 days until it's in every spam and phishing block list in existence so why bother, and then the process of buying an SSL certificate is time consuming and would unduly expose the people behind the phishing operation.

Anonymous Coward

Fake sites don't last long 

Posted Friday 17th October 2008 09:01 GMT

and most people use a payment gateway, sure you can keep the user on your domain, but hey why bother, all you want is perhaps the ability to customize the CC page a bit.

So, yeah this is an odd one, unfortunately it affects those who run their own server to server payment gateway and perhaps store CC details, a medium sized ecommerce site may do this, but they are still better off waiting until they are very well known.

It is simple, unless you are large don't store CC and pump the customers to a payment gateway system, where people can verify the owner of the PG system.

EFT is an even better solution, if the banks and customers would wake up a bit to this one. For most payment gateways you have to get a merchant account from the bank which also takes a percentage, so this maybe the reason why they don't make too much of it.

But, if you do a bank to bank transfer in the UK that works out at zero cost, if the banks would add some way to make that transfer simpler and lend credence to the account ecommerce can become even cheaper and more secure.