Tim Callan’s SSL Blog – Online Security Tim Callan’s SSL Blog: New York Times emphasizes risks of irreputable CAs
Tim Callan’s SSL Blog Demystifying the Web’s Secure Backbone « Symantec acquisition of VeriSign’s Authentication business complete | Main | Network Solutions malcode widget first discovered by VeriSign Trust Seal web site malware scanning » New York Times emphasizes risks of irreputable CAs
A recent New York Times article discusses the concerns held by online civil rights groups that oppressive governments around the world might work with certificate authorities (CAs) through either coercion or willing partnership to compromise the integrity of private and/or corporate online communications.
The article points out that proliferation of CAs around the world means that the world’s browser and device vendors have given the tremendous responsibility of issuing certificates to a very broad variety of organizations. Given that the conduct of these CAs is not policed to any effective degree, unscrupulous CAs could easily allow governments to decrypt communications, use compromised information for a variety of political purposes and not face any retribution.
Such concerns highlight the need for individuals and organizations to look to longstanding responsible CAs with a proven track record of issuing and managing certificates correctly. This means looking for trust marks such as the signature VeriSign “check” to verify the identity of the CAs validating and securing their most important online transactions and communications.
While we usually talk about “trust” in terms of the ability to trust your search link results, the sites you visit and the transactions you make, this current discussion highlights that a historic track record of corporate integrity and responsible SSL stewardship truly matters as much as advanced technology capabilities such as seal-in-search, web site malware scanning and EV SSL.
Once again, another debate reminds us that “who you trust” matters more than ever.
Although the article describes it in very high level terms, Mozilla’s Jonathan Nightingale clearly has recommended EV SSL as one avenue of combatting this problem,
Mr. Nightingale said that many e-commerce sites were using a new type of certificate that required extensive verification. If a certificate authority was misusing its power to eavesdrop, he said, a user with technical skills could detect the attack, and the organization’s power to issue certificates would be revoked.
Posted by Tim Callan on August 17, 2010 6:31 PM
Permalink Post a comment (If you haven’t left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won’t appear on the entry. Thanks for waiting.)
Remember personal info?
Comments: (you may use HTML tags for style)
ABOUT SSL CERTIFICATES
Categories Alexa-Netcraft index | Browsers | Firefox | Google Chrome | Internet Explorer 7 | Internet Explorer 8 | Opera | Safari | Cart whisperer | Code signing | Debian | Encryption strength | Events | Extended Validation SSL | GeoTrust | MD5 | Malware | Phishing | Recommended sites | Resellers | Revocation | Security seals | Symantec | Unprotected Web forms | VeriSign Identity Protection | VeriSign Trust Seal | Windows Vista | CardSpace | poetry | thawte | Archives September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 August 2009 July 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 Recent Posts Great session at the Online Trust and Cybersecurity Forum New malware attack affecting sites hosted by Go Daddy New video: Tim Callan shows heat maps of VeriSign seals in search results Code signing and Windows Phone 7 Certificate revoked in Acrobat malware attack Symantec SSL business at upcoming events GeoTrust dominance in top million sites continues 400 posts on Tim Callan’s SSL Blog Network Solutions malcode widget first discovered by VeriSign Trust Seal web site malware scanning New York Times emphasizes risks of irreputable CAs Subscribe Comments We encourage comments and look forward to hearing from you. All comments posted to this blog will be moderated. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate. Powered by
Movable Type 4.21-en Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.
VeriSign Legal Notices
View the original article here