Digital Certificates: Do They Work?
Jeff Atwood, on his Coding Horrors website, posts about Digital SSL certificates bringing up several criticisms. However, his arguments appear to be very weak. He mentions the two primary purposes of a certificate:
- This website is the real deal, not a fake set up by criminals to fool you.
- All data between your browser and that website is sent encrypted. Nobody in the middle can read any sensitive information you submit to that website, such as your credit card number.
All trusted SSL certificates are signed by a Trusted Root Authority whose Root Certificate is included (or added manually) in a web browser's trusted store. He brings up the question: "Who decided VeriSign is a trusted authority?" Quite simply, each of the web browser manufacturers did. Though the requirements vary, it is by no means easy to get root certificates included in a browser's default store. For example, view Microsoft's Root Certificate Program Requirements. Among other things, a certificate authority must pass an independent WebTrust for Certification Authorities audit. If a certificate authority ever violates the trust given to them, their Root certificates could be removed. Without requiring every user to investigate the trustworthiness of each website or authority, the default web of trust system that SSL uses provides a very effective means of identity verification.
Jeff's next point has some validity but also has problems:
The other problem with certificates is that, as an end user, it's nearly impossible to tell a good, valid certificate provided by a reputable certificate authority from a bad one.
On the surface, the answer to this question is simple. The web browser does the work for us. If the website is signed by an authority that the browser doesn't trust, it will tell you so with a big annoying warning message. The same is true if the certificate is for a different website, if it is expired, or if it has been revoked by the certificate authority.
However, there is a flaw with normal SSL certificates that allows anyone to get one for any website in a matter of minutes: Domain validated certificates. The defense? EV SSL Certificates. A much more rigorous validation process ensures these certificates aren't issued to the wrong party and they provide a clear differentiation from normal certificates in the browser (the green address bar, etc...)
While bringing up some interesting points, Jeff's arguments don't hold much weight. SSL Certificates are, for the most part, a very effective means of encrypting a website or software and ensuring the identity of the owner.
Originally posted on Sun Dec 23, 2007