Free SSL Certificates A Bad Idea?

Partially missing the point

I just found this site which is offering free SSL server certificates. Initially this seems like a great idea... but I think they miss the point slightly.

Wilst I'd agree with them that Verisign, Thawte (owned by Verisign) etc. are expensive for the service they provide, a large part of which can be automated, what they are doing isn't as simple as this page makes out.

As well as providing a certificate which provides encryption (which it's pretty trivial to do yourself without the sites need) they are also providing a trusted third party service (though, again, how far we want to trust Verisign is another matter).

This trusted third party makes a number of check on the applicant for a secure certificate, trying to legitimise the ir presence in the real world, and then sign the certificate. The signing means that you can be a bit more confident that the site you are engaging with is (relatively) legitimate.

I've just managed to set up a certificate through this site for one of my domains. The details aren't checked by them, and so I could have easily forged what I've entered. If they become a trusted Certificate Authority this certificate could now be used for phishing attacks.

One scenario is that users start to authorise all certificates issued by this Authority, without them being accepted by browser producers as a trusted Authority, and then being transmitted to a site which looks authentic, because the SSL certificate is there, and so seems secure. Most people don't look at SSL Certs - and indeed most, in my experience, are confused when they get prompts saying there is a problem with a cert, and take the path of least resistance not realising the implications.

In principal I like the idea of this kind of stuff, but it only works in a fully trustworthy world. And whilst it would be nice to be able to trust everyone it only take one 'bad apple' to spoil the fun for everything.

published 2005.02.25 updated 2014.11.03
show menu