Wandering Thoughts archives

2008-08-23

Another problem with SSL identities

On top of SSL's general issue there is a practical problem with how SSL information is presented in browsers, one that makes it very difficult for anyone except very technical people to actually meaningfully verify who a SSL certificate is issued to.

The issue is simple: browsers normally only show you the name of the organization that the SSL certificate is issued to. But organization names are not unique, especially not across the entire world, which means that just the organization name alone tells people less than they think it does.

(In practice, certain sufficiently well known organizations do have unique names on the Internet, but this is just because no certificate authority is going to issue a certificate to a 'Google' that is not located in Mountain View (unless, of course, an accident happens, as it did once with Microsoft). Less well known organizations have no such protection.)

SSL recognized this right from the start, and SSL certificates have location information for the organization to disambiguate just this situation. Unfortunately, browsers have chosen to hide this information away in cryptic detailed SSL information dumps, instead of presenting it to users as part of the identity of who the certificate is issued to. The result is that even the rare careful user that actually checks is likely verifying less about who a SSL certificate is assigned to than they think they are.

web/SSLIdentityProblemII written at 02:24:46; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.