Thursday, 7 April 2011

When NOT to trust an SSL cetificate.

Comodo recently issued a security alert that after a breach 9 SSL certificates were falsely issued.

Unfortunately far too many people on the internet associate the SSL padlock as a symbol of ultimate trust.

Unfortunately this is seriously misplaced trust.

Sophisticated hacking attempts mean it is now getting easier for SSL issuers to be hacked into issuing certificates.

Moreover all a certificate really does in terms of integrity is that the host name you types in your browser is what the server hosting the SSL certificate claims to be.

Today it is easy to get (fool) a domain registrar to redirect a domain's IP address or poison DNS to give out a false IP. At this point even if you typed your bank's URL for instance, there is no gaurante that you are actually going to your bank.

So the next time you simply rely on the SSL padlock symbol to keep you safe, think twice... look at the page, is it all the same and if you credentials which are correct are rejected or you get a website error after putting in your credentials, chances are you are logging onto a hacker's site.

SSL and the padlock are NO longer a symbol of trust on their own

No comments:

Post a Comment