SSL does not create trust

August 4, 2008

One of the stories that people tell about SSL on the web is that proper, valid SSL certificates create trust (and thus do all sorts of good things, like facilitating Internet commerce). This is, how shall I say it, not actually true.

Here's how SSL certificates fail to create trust:

  • simply having an SSL certificate doesn't mean you're especially trustworthy, because anyone can get an SSL certificate.

  • you might be able to trust an identity that's guaranteed by SSL, except SSL's idea of an identity is wrong for the Internet.

    (And even given that, certificate authorities have been fooled at least once for a high visibility case, and an unknown number of times for less visible people.)

  • SSL solves the wrong problem. As lots of events demonstrate, the vulnerable point is not the network or a sophisticated man in the middle attack; the vulnerable point, and the most valuable place to compromise, is the web server itself. And a web server having an SSL certificate says nothing about how secure it is.

    (The other valuable thing to compromise is the person sitting in front of the computer; hence phishing attacks.)

  • finally, and hugely, SSL creates no trust because it creates no legal basis for trust for anyone. There are no contracts with terms, no duty, no guarantees, no liability, no nothing. You pay some money and you get some magic bits, and that is it. No one is on the hook if something goes wrong.

Trust is created by people having a motivation to act in your interest. One of the ways that this can happen is that you pay them; another is that they pay you if something goes wrong (ie, liability). SSL involves neither, and as a result the presence of an SSL certificate means nothing more than that someone got an SSL certificate.

(Yes, trust can be created by reputation, but since anyone can get SSL certificates having a valid one says nothing about your reputation.)

Another way to look at this is to ask if there is anything that you can rely on, either practically or legally, if you see a proper SSL certificate. The answer is clearly no, for the reasons above; you have no legal reliance at all, you have no real assurance of who the website is, and you have no idea if the website is (still) secure even if they are a trustworthy business.

The conclusion is inescapable: in both practical and legal terms, SSL creates no trust at all. Any 'trust' it creates is both misplaced and entirely in the minds of users.

(It is hopefully obvious why misleading users about security issues is a very bad idea.)

(None of this is original to me, but I feel like writing it down in one place that I can point to. See here and the link in the comment here for some sources I learned from.)

Written on 04 August 2008.
« Our answer to the ZFS SAN failover problem
More on the funding capture problem »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Aug 4 23:10:20 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.