[_] SSL certificates
Matt Hamilton
matth at netsight.co.uk
Wed Nov 1 15:03:58 GMT 2006
Jon Bennett wrote:
> never purchased any from anywhere else, so not much to go on - assumed
> SSL certs were created equal, is that not the case?
Well, interesting point. One of the main things about SSL certs is that
they certify that the end location is whom they claim to be. So in
order to do that, the issuer really needs to contact the applicant and
asscertain that they really are whom they are. Thawte (who we use) ask
for copies of Certificate of Incorporation etc. The cheaper places
don't bother checking. The problem is that, Joe Average user is not
going to know the difference between el-cheaper-give-to-anyone cert and
one that goes through the trouble of verifying the owner properly.
So it is all a bunch of bollocks really.
The other difference is the certification chain. SSL certs are always
signed by a higher authority, eventually reaching back to an authority
whom also signed the certs distributed with the browser. The likes of
Verisign have certs in the browser, so there is no intermediary. Not
sure how much of an issue this is, as in theory you could have 20 links
in the chain and if it all checked out, the user is none the wiser.
So it is all a bunch of bollocks really.
The third difference is the 'step-up' certs. 'Supercerts' as Thawte
call them. They try to push you to these for 128-bit certs, as they
have some gubbins in them that help older browsers 'step-up' to higher
crypto. But as not many people are using the older browsers....
So it is all a bunch of bollocks really.
-Matt
--
Matt Hamilton matth at netsight.co.uk
Netsight Internet Solutions, Ltd. Business Vision on the Internet
http://www.netsight.co.uk +44 (0)117 9090901
Web Design | Zope/Plone Development & Consulting | Co-location | Hosting
> never purchased any from anywhere else, so not much to go on - assumed
> SSL certs were created equal, is that not the case?
Well, interesting point. One of the main things about SSL certs is that
they certify that the end location is whom they claim to be. So in
order to do that, the issuer really needs to contact the applicant and
asscertain that they really are whom they are. Thawte (who we use) ask
for copies of Certificate of Incorporation etc. The cheaper places
don't bother checking. The problem is that, Joe Average user is not
going to know the difference between el-cheaper-give-to-anyone cert and
one that goes through the trouble of verifying the owner properly.
So it is all a bunch of bollocks really.
The other difference is the certification chain. SSL certs are always
signed by a higher authority, eventually reaching back to an authority
whom also signed the certs distributed with the browser. The likes of
Verisign have certs in the browser, so there is no intermediary. Not
sure how much of an issue this is, as in theory you could have 20 links
in the chain and if it all checked out, the user is none the wiser.
So it is all a bunch of bollocks really.
The third difference is the 'step-up' certs. 'Supercerts' as Thawte
call them. They try to push you to these for 128-bit certs, as they
have some gubbins in them that help older browsers 'step-up' to higher
crypto. But as not many people are using the older browsers....
So it is all a bunch of bollocks really.
-Matt
--
Matt Hamilton matth at netsight.co.uk
Netsight Internet Solutions, Ltd. Business Vision on the Internet
http://www.netsight.co.uk +44 (0)117 9090901
Web Design | Zope/Plone Development & Consulting | Co-location | Hosting