Another problem with SSL identities

August 23, 2008

On top of SSL's general issue there is a practical problem with how SSL information is presented in browsers, one that makes it very difficult for anyone except very technical people to actually meaningfully verify who a SSL certificate is issued to.

The issue is simple: browsers normally only show you the name of the organization that the SSL certificate is issued to. But organization names are not unique, especially not across the entire world, which means that just the organization name alone tells people less than they think it does.

(In practice, certain sufficiently well known organizations do have unique names on the Internet, but this is just because no certificate authority is going to issue a certificate to a 'Google' that is not located in Mountain View (unless, of course, an accident happens, as it did once with Microsoft). Less well known organizations have no such protection.)

SSL recognized this right from the start, and SSL certificates have location information for the organization to disambiguate just this situation. Unfortunately, browsers have chosen to hide this information away in cryptic detailed SSL information dumps, instead of presenting it to users as part of the identity of who the certificate is issued to. The result is that even the rare careful user that actually checks is likely verifying less about who a SSL certificate is assigned to than they think they are.


Comments on this page:

From 78.86.169.131 at 2008-08-23 05:37:54:

Unfortunately, some CAs squash the full location information from the certificate subject - for example RapidSSL.

Having supplied a CSR that contained the full subject info (C, ST, L, O, OU and CN), the returned certificate only contained the original CN and C items. The certificate subject looked something like this:

subject=/C=GB/O=example.net/OU=GT12345678/OU=See www.rapidssl.com/resources/cps (c)08/OU=Din Control Validated - RapidSSL(R)/CN=example.net

I wonder if this is a common practice, or if it's just this supplier?

-- Dominic

From 203.206.88.65 at 2008-08-23 06:22:10:

EV certs show up with the location easily readable in IE and Firefox.

Written on 23 August 2008.
« Why noting security fixes in Linux kernel changelogs doesn't really help
An update to the ZFS excessive prefetching situation »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Aug 23 02:24:46 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.