SSL certificate trust
Posted on May 3, 2010
Filed Under The Dangers | 1 Comment
We’ve had it drilled into us for years now. If you are buying something online, look for the visual indicator in your browser that tells you the connection is secure and encrypted. ‘The padlock icon’
In Safari it’s a padlock icon. In firefox it’s a blue bar. In Chrome it’s a yellow background. In Internet Explorer it’s a padlock icon.
The presence of a padlock icon or visual indicator should not instill ubiquitous trust however. It’s remarkably easy to obtain this visual indicator and extremely low cost.
The presence of the visual indicator padlock or coloured bar can be obtained for something like £30 including a domain name. All the SSL certificate attached to the domain name does is verify that the connection between your machine and that domain is secure. It does not for example establish the site credentials to validate who they say they are, and it does not (aside from some rare circumstances) provide any kind of guarantee for your money.
Many scammers and fraudsters are turning to valid SSL certification to confuse users on bank phishing sites and the like.
There are different types of SSL certificates and you should always look for this. EV or Extended Validation certificates provide this trust that all online shoppers should look for. EV certificate requests have to go through stringent and frankly painstaking (I know, we’ve done this) processes to ensure that the application matches your physical company location, details and address match the certificate 100%. It is essentially a certificate for the company and not the website alone.
For example, in Safari it’s the padlock icon and a green company name indicator. In Firefox it’s a green indicator and the company name. In Chrome it’s a yellow bar and a green company name indicator. In IE7 it turns the address bar green, in IE8 it’s more subtle but still displays the company name.
See how it works in your browser with these examples (For the record, I’m not saying that the site below is bad, far from it, but they use an external card payment processor):
non-EV: cylindersdirect.co.uk
Extended Validation: 3dpixel.net
Double check the padlock. It’s not always what you think.
[...] This post was mentioned on Twitter by 3dpixelnet. 3dpixelnet said: http://thesocialengineer.co.uk/ssl-certificate-trust/ the differences in SSL certificates and why it matters to you. [...]