How VeriSign Could Stop Drive-By Downloads

In a recent article by Ben Edelman, he discusses How VeriSign Could Stop Drive-By Downloads (also featured over at Slashdot).

Now whilst I disagree that clamping down on CA's would get rid of Spyware (it may slow it slightly, though), it does bring up the important point of trust. In particular, it points out the problem of CA's giving the user a sense of trust in an organization that the CA doesn't even know.

This issue of "false trust" is something that we were discussing in the Office the other week, as we arranged to shell out the US$149 for one of thawte's SSL123 certificates which get issued within minutes with only the minimal of checking. The difference between this certificate and thawte's usual certificates (apart from the $50 price difference) is that the SSL123 certificates have no information contained within them about the legal entity they were issued to. (Want to compare? Check out here vs. here)

Technically, the two certificates are exactly the same. In the case of the SSL123 certificate, we paid $149 for them to run a quick WHOIS on the domain and check that the contact information we supplied was the same. Quickest $149 you've ever made. In the case of the other certificate, a company check was done, but as far as we know, that was it.

What is thawte doing - in either case - to say that they trust either business? That's right. Absolutely nothing.

Don't for a second assume I am singling thawte out on this - I'd be quite pleasantly surprised to find that any CA does their due diligence in checking that the organization they are issuing a certificate to is reputable.

I believe there are a few problems all playing in the matter of on-line security, though.

  1. CA's don't do strict enough checking. Be it for SSL certificates, ActiveX and code signing certificates, whatever. You have said "we trust this organization" so you had better be pretty damn sure that it can be trusted. Personally, I'd quite like to see some legal action in this area to kick them all into gear. CA's should be checking into previous business history of directors, previous domains held and verify physical information such as office location, phone numbers and the such.
  2. Browsers hide importance of SSL checking. Part of the benefits of X509 certificates is putting a physical name and contact to a piece of data. This needs to be more obvious. Rather than just a padlock at the bottom of a browser, it needs to be obvious to the user "You are dealing with XYZ Company Pty Ltd". Again, this isn't feasible without the CA's doing their job to prevent "You are dealing with a very secure and reputable company A++ on Internets!!!"
  3. User education (such as mentioned here on Slashdot) is important, but I don't see it as being as possible as would be required. People don't know about the running of their computer, because they don't care - and nor should they!!! If the problem can be fixed in software and by the providers, then why not!?!
  4. Change of thinking of the role of certification - just because VeriSign says it's "trusted" doesn't mean it's safe. The first step to doing anything securely is to "trust nobody" - In this case, applications stop blindly trusting things signed by the CA, but rather use the CA as a reliable source of information about the provider so as that the user decides if they trust that organization. The difference is subtle, but important IMHO

In the end though, all of this rant, as is Ben's, is fairly pointless - CA's will not change until someone makes them do so. Who is going to do that? Management? These changes would mean they actually have to work for their money - how is that going to help the bottom line? Maybe Government? But which one? Or maybe yet another non-profit (haha yeah, right) organization like ICANN?

Yup - we'll just all whine and moan, but nothing is going to happen in the short term while the Internet is run by bean-counters and bureaucrats.