Cheap and fast certs.

Carl Youngblood carl at youngbloods.org
Tue Feb 21 10:35:54 MST 2006


I think you are misconstruing my original post.  I am not trying to be an
advocate for Verisign.  I said you would probably never use the insurance
anyway.  What I was mostly focusing on is customer perception.  Many big
companies go with Verisign for this reason alone.  I don't like the
company.  I think that SSL certs could be done a lot more cheaply, but there
are certain hoops that you should probably go through if you are going to do
e-commerce and want to present as safe a storefront as possible.  I'm not
claiming any of these techniques will actually make your site any safer.
I'm just saying that there is a difference in consumer perception about the
safety of each company.  But actually most consumers don't check the cert at
all.  For those that do, there may be a difference between getting a cert
with $1000 of insurance and one with $1,000,000.  BTW, I looked up
Verisign's policy and their insurance is only $100,000:
http://www.verisign.com/repository/netsure/netsure2.html.  I was shooting
from the hip, but it is at least a little more than $1,000.  I should add
though, that I have never heard of a single case where a cert has been
verified that was not actually issued. (phishing attacks with slight domain
name modifications are different and are not covered by this kind of
insurance AFAIK).

Carl



On 2/19/06, Jason Holt <jason at lunkwill.org> wrote:
>
>
> On Sun, 19 Feb 2006, Carl Youngblood wrote:
>
> > You get what you pay for.
>
>
> Unfortunately, SSL certs seem to be an exception to that rule.  SSL certs
> convey almost no useful information, and the low barriers for attackers
> make
> the quality of security low even for the small class of users who can
> discern
> between "safe" and "dangerous" scenarios.  Still much better than nothing,
> but
> the extra money some CAs charge doesn't seem to be providing much
> additional
> security.
>
>
> > If all you want is encryption, Godaddy certs are fine.  But if you look
> at
> > the fact that even their most expensive cert only comes with $1000 of
> > insurance, while instantssl.com and verisign certs come with $1,000,000,
> you
> > can see the difference.  Granted you'll probably never use the
> insurance,
> > but customer confidence is an important issue.  If I were running a
> business
> > that used SSL I would use instantssl for that reason alone.  I think
> their
> > price/value ratio is the best out there.
>
> While I have seen Verisign and "consumer confidence" in adjacent sentences
> before, this might be the first time I've seen them used with that
> relative
> polarity from anyone other than their marketers.  (Verisign/netsol has
> been
> harshly criticized for a number of unethical behaviors, including sending
> deceptive domain renewal notices to customers of other registrars and
> redirecting every single unregistered .com domain to their own signup
> site).
> Incidentally, I can't find anything about a $1M guarantee on their site --
> do
> you have a URL for that?
>
> Instantssl.com appears to be Comodo, who I once exchanged emails with
> about my
> friend's erroneous choice of a 512-bit RSA certificate -- the tech claimed
> that 512-bits was plenty secure and refused to reissue a stronger
> cert.  512
> bit RSA modulii were broken years ago, and would probably take a modern
> PC,
> say, a month to factor.  Unfortunately, the $1M guarantee from Comodo
> doesn't
> seem to cover you if the attacker gets his cert for your domain from
> somebody
> else.
>
>                                                 -J
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>



More information about the PLUG mailing list