Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.
August 20, 2009
Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.Certificates do not certify the site is real -- far from it. Certificates don't indicate trust -- that's a scam that earns certain security vendors quite a lot of money.
Anyone can buy a certificate for their Website by indicating they own the domain, with little verification, and in some past cases, no verification at all. Certificates cannot be completely trusted to verify ownership.
And certificates don't really mean that a site is real, only that it's domain name is real. They're abused all the time: criminals break into servers and host their malicious sites on the sites hosted there, using certificates stolen from these sites owners.
Why then do I even bother with a certificate?
My site's certificate is self-signed. It has no trust when it comes to indicating I am who I say I am, but it does encrypt the traffic to and from it. Communication encryption is the only viable reason to use a Website certificate.
If you run a public Website, buy a cheap certificate, but not for providing trust. It will at least provide encryption to protect against eavesdropping.
Besides, users don't check certificates. They click "okay." So even if the certificate did convey any sense of trust, its use would be limited to experts with time on their hands.
And certificates are also money-makers: vendors sell a false sense of security by providing a small picture to put on your Webpage that certifies you are "Hacking Safe." But that's misleading.
You shouldn't trust Web certificates. Still, there are no alternatives. Perhaps it is time we came up with a real methodology to verify Websites rather than perpetuate this defunct technology.
Follow Gadi Evron on Twitter: http://twitter.com/gadievron
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024