SSL certificates don't guarantee safety

The London Free Press wrote a short article about how much we should really trust "green address bars" and SSL certificates. The yellow lock icon and the "green address bar" can often be powerful influencers in reassuring customers that it is safe to enter their personal information or make a purchase. The article explains why it isn't always as safe as we think:

But experts say the SSL certificates those green lights signify -- digital stamps of approval that Web sites buy to prove they're running a legitimate business and can send and receive encrypted data safely -- don't provide the safety they seem to.

"They instill some sense of security, but that could be a dangerously false sense of security," said Paul Mutton, a researcher with UK-based security firm Netcraft Ltd.

Attacks are still possible because having an SSL certificate only indicates that a third party has verified the identity of the site's owner and set up an encrypted line of communication with the site.

The site itself could still be riddled with security holes for hackers to exploit. And the certificate could simply be bogus: Criminals have been forging them to get the padlock icon and dress up fraudulent sites.

The article mentions that the introduction of EV Certificates, which can turn the address bar green, still shouldn't provide perfect assurance because code flaws could enable other exploits, such as XSS.

Tim Callan was quick to jump in on this topic to point out that when people say that EV Certificates don't protect against XSS attacks, they are misunderstanding what EV SSL Certificates are meant for: primarily authentication.

SSL certificates don't guarantee safety - [London Free Press]

Originally posted on Sun Mar 16, 2008