Nerds On Site

DigiCert and the trouble with SSL Security

\"\"We\’ve been instructing our clients for years now to ensure all web-based access which contains personal or confidential data in any form should be encrypted with SSL which is most easily identified by looking at your URL and ensuring there\’s https (\’s\’ for secure) at the beginning vs http (insecure when it lacks the \’s\’).
\"\"
The basic premise of the de facto security standard in use today is that we trust corporations because they say they are trustworthy. Here\’s how the process basically works (very simplified):

  1. Company ABC publicly launches a Certification Authority business
  2. Company ABC convinces Browser makers (Microsoft, Mozilla, Apple, etc) that they are trustworthy
  3. Company ABC is now \”trusted\” by everyone who uses those browsers – that\’s me and you on the Internet

Along comes a sophisticated hacker (or group of hackers) and compromise the security of ANY one of them, and the entire security model is now broken.
This is what happened to Digicert Sdn. Bhd. (of Malaysia). In this particular instance, there is confusion in the marketplace (even yours truly was initially unaware) because DigiCert Sdn. Bhd. of Malaysia is not affiliated with DigiCert, Inc., according to their own statement:
http://www.digicert.com/news/2011-11-1-breaches-and-similar-names.htm
The good folks at DigiCert, Inc are actually running a Google Adword campaign as you can see here, which links to that image above, and I don\’t blame them – we would do the same.
\"\"
We are intimately aware of the pains that are created when the marketplace is confused over similar names, so we wish DigiCert, Inc. all the success in the future and will make our best efforts to ensure everyone knows the difference.
Here\’s to DigiCert from a happy customer (Nerds On Site).

Leave a Comment

Your email address will not be published.

Scroll to Top