Bill W. said the following on 02/28/2007 01:36 PM:
I’d really appreciate hearing from anyone with experience with this stuff.
Basically its all meaningless.
Go and real the POLICY documents behind them, the equivalent of the EULA
The issue of ‘where’ is policy. If you miss out a SSL page they are not
going to come and beat you up or take you to court for non-compliance.
The ‘dynamic’ seal is no different from any other such chunk of
its not going to make your site more secure.
What will make you site more secure has little to do with SSL. Much has
been written on that and advising on it is about 30% of my business.
are good books and papers out there; google and amazon are your friends.
SSL has many myths associated with it, and ‘security’ is one of them.
All it does is encrypt the link. Even this isn’t very good as there are
many appliances sold as tools for corporate gateways that can spoof the
connection in a way that is really a man-in-the-middle attack.
If all you are doing is protecting what’s going on over the wire then a
self-signed certificate is adequate. The Apache tools on my Linux box
all the stuff needed. I did this once, long ago, to try it out but s
my memory right now.
What companies like Verisign are selling is a form of trustworthiness.
that is a chimera. Let me explain why.
When you visit a site that purports to be Amazon and carry out a
transaction you want to be sure that it really is Amazon you are dealing
with, as well as securing the electrons over the wire. But if anyone
set up a self-signed cert then what? So we have ‘certificate
like Verisign. The idea is that if the cert comes from Verisign then
can trust it.
Well, Verisign should have verified that the company applying for the
IS who they say there are, all the due diligence about their integrity,
business practices, how they secure their network, their programming
techniques, that they do own the domain and the IP addresses, and so on
so on and so on. All the stuff that I audit for in my "day job’.
But the reality is that they actually sell a whole pile of grades of
Some of them you just have to apply for and pay the money - the only
they check is that the credit card transaction goes through.
This is not a put-down of Verisign or any other cert authority. Its
Read the licensing agreements. Unless they are doing a due diligence
on you as a business then what you are getting offers no more protection
than a self signed cert.
However if you as a company need the marketing panash of displaying a
“badge” on your pages, then that’s another matter.
The issue is WHAT ARE YOU TRYING TO ACHIEVE?
The way you’ve worded your question is open. If its asking about
superiority, then technically ANY SSL certificate is equivalent to any
Never look a gift horse in the mouth.
Saint Jerome, On the Epistle to the Ephesians