Anyone can buy a certificate for their Website by indicating they own the domain, with little verification, and in some past cases, no verification at all. Certificates cannot be completely trusted to verify ownership.
And certificates don't really mean that a site is real, only that it's domain name is real. They're abused all the time: criminals break into servers and host their malicious sites on the sites hosted there, using certificates stolen from these sites owners.
Why then do I even bother with a certificate?
My site's certificate is self-signed. It has no trust when it comes to indicating I am who I say I am, but it does encrypt the traffic to and from it. Communication encryption is the only viable reason to use a Website certificate.
If you run a public Website, buy a cheap certificate, but not for providing trust. It will at least provide encryption to protect against eavesdropping.
Besides, users don't check certificates. They click "okay." So even if the certificate did convey any sense of trust, its use would be limited to experts with time on their hands.
And certificates are also money-makers: vendors sell a false sense of security by providing a small picture to put on your Webpage that certifies you are "Hacking Safe." But that's misleading.
You shouldn't trust Web certificates. Still, there are no alternatives. Perhaps it is time we came up with a real methodology to verify Websites rather than perpetuate this defunct technology.
Follow Gadi Evron on Twitter: http://twitter.com/gadievron
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.