Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/20/2009
05:35 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why I Refuse to Update My Website Certificate

Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.

Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.Certificates do not certify the site is real -- far from it. Certificates don't indicate trust -- that's a scam that earns certain security vendors quite a lot of money.

Anyone can buy a certificate for their Website by indicating they own the domain, with little verification, and in some past cases, no verification at all. Certificates cannot be completely trusted to verify ownership.

And certificates don't really mean that a site is real, only that it's domain name is real. They're abused all the time: criminals break into servers and host their malicious sites on the sites hosted there, using certificates stolen from these sites owners.

Why then do I even bother with a certificate?

My site's certificate is self-signed. It has no trust when it comes to indicating I am who I say I am, but it does encrypt the traffic to and from it. Communication encryption is the only viable reason to use a Website certificate.

If you run a public Website, buy a cheap certificate, but not for providing trust. It will at least provide encryption to protect against eavesdropping.

Besides, users don't check certificates. They click "okay." So even if the certificate did convey any sense of trust, its use would be limited to experts with time on their hands.

And certificates are also money-makers: vendors sell a false sense of security by providing a small picture to put on your Webpage that certifies you are "Hacking Safe." But that's misleading.

You shouldn't trust Web certificates. Still, there are no alternatives. Perhaps it is time we came up with a real methodology to verify Websites rather than perpetuate this defunct technology.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32094
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to upload arbitrary files.
CVE-2021-32095
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to delete arbitrary files.
CVE-2021-32096
PUBLISHED: 2021-05-07
The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.
CVE-2021-32098
PUBLISHED: 2021-05-07
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.
CVE-2021-32099
PUBLISHED: 2021-05-07
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.