[nycphp-talk] The SSL Certificate Scam
Gary A. Mort
garyamort at gmail.com
Mon Nov 25 12:15:29 EST 2013
Warning, this a a length rant/vent on the state of SSL certificates as
used on websites today.
https://plus.google.com/117506461184749864074/posts/PqHMSjsY5hp
The summary is:
I don't feel that purchasing SSL Certificates from "Trusted Third
Parties" as defined by Google, Microsoft, and Mozilla is currently
worthwhile. If your using them for security, set up your own internal
CA with a couple of roots and issue certs for your own usage. It's more
secure because then YOU are the one who decided to trust the CA.
Moreover, it is more secure because YOU can set much shorter
expiration[why wait a whole year? Expire it in a month and generate a
new one!] so if a cert is stolen it will expire soon - and YOU can
revoke certificates that are being used fraudulently.
The only benefit to purchasing an SSL Certificate is marketing. There
are a few people who will choose not to purchase a product if the SSL
Certificate doesn't "look right". However, considering the large number
of active e-commerce websites taking orders today using expired
certificates - I think the number of sales lost is minimal.
I do see a purpose to trusted third parties - it is just the current
system which is flawed.
More information about the talk
mailing list