Trustworthy SSL Certificates

Sue Marquette Poremba

If you do business on the Web, you likely depended on SSL certificates to keep the transactions safe. You probably have one on your business site for your customers.

 

However, the recent ordeal of the United Arab Emirates telecommunications company Etisalat certificate, with embedded malicious code, serves as a reminder that just because a certificate claims to be secure doesn't mean it is trustworthy.

 

As Sorin Mustaca, manager of international software development at Avira, explained to me:

A Certificate Authority is, by common understanding, an entity having a trust level beyond any doubt. This means that in the case of digital certificates, a CA can generate certificates which are trusted by all parties involved in a communication. Any entity, private or corporate, is allowed to request such a digital certificate, the only proof required is an official identification document. This means that such a certificate can only guarantee that the entity you are communicating with is who she pretends to be. It doesn't guarantee that the owner of the certificate can be trusted.

To help enterprises and their clients better monitor and secure their dealings on the Web, the Electronics Frontier Foundation is launching the SSL Observatory, which is:

a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded a dataset of all of the publicly-visible SSL certificates, and will be making that data available to the research community in the near future.

As Dirk Knop, technical editor at Avira, told me:

Usually, the companies taking all the efforts to buy a certificate are aware of security and are doing their best to act in a secure manner. The case of Etisalat is unique yet - but it's possible that in other non-democratic states, institutions could abuse the trust, too.
To put it short: https is about being connected to the correct server; you need to trust the server owner, a certificate can't judge if the owner is "nice."


Add Comment      Leave a comment on this blog post

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data