NYCPHP Meetup

NYPHP.org

[nycphp-talk] The SSL Certificate Scam

Gary A. Mort garyamort at gmail.com
Mon Nov 25 12:15:29 EST 2013


Warning, this a a length rant/vent on the state of SSL certificates as 
used on websites today.

https://plus.google.com/117506461184749864074/posts/PqHMSjsY5hp

The summary is:
I don't feel that purchasing SSL Certificates from "Trusted Third 
Parties" as defined by Google, Microsoft, and Mozilla is currently 
worthwhile.   If your using them for security, set up your own internal 
CA with a couple of roots and issue certs for your own usage.  It's more 
secure because then YOU are the one who decided to trust the CA.  
Moreover, it is more secure because YOU can set much shorter 
expiration[why wait a whole year?  Expire it in a month and generate a 
new one!] so if a cert is stolen it will expire soon - and YOU can 
revoke certificates that are being used fraudulently.

The only benefit to purchasing an SSL Certificate is marketing. There 
are a few people who will choose not to purchase a product if the SSL 
Certificate doesn't "look right".  However, considering the large number 
of active e-commerce websites taking orders today using expired 
certificates - I think the number of sales lost is minimal.

I do see a purpose to trusted third parties - it is just the current 
system which is flawed.


More information about the talk mailing list