Bill W. said the following on 02/28/2007 01:36 PM:
I’d really appreciate hearing from anyone with experience with this stuff.
Basically its all meaningless.
Go and real the POLICY documents behind them, the equivalent of the EULA
and
liability declarations.
The issue of ‘where’ is policy. If you miss out a SSL page they are not
going to come and beat you up or take you to court for non-compliance.
The ‘dynamic’ seal is no different from any other such chunk of
javascript-enabled dynamic update, like a clock or weather indicator.
its not going to make your site more secure.
What will make you site more secure has little to do with SSL. Much has
been written on that and advising on it is about 30% of my business.
There
are good books and papers out there; google and amazon are your friends.
SSL has many myths associated with it, and ‘security’ is one of them.
All it does is encrypt the link. Even this isn’t very good as there are
many appliances sold as tools for corporate gateways that can spoof the
connection in a way that is really a man-in-the-middle attack.
If all you are doing is protecting what’s going on over the wire then a
self-signed certificate is adequate. The Apache tools on my Linux box
has
all the stuff needed. I did this once, long ago, to try it out but s
slips
my memory right now.
What companies like Verisign are selling is a form of trustworthiness.
Even
that is a chimera. Let me explain why.
When you visit a site that purports to be Amazon and carry out a
financial
transaction you want to be sure that it really is Amazon you are dealing
with, as well as securing the electrons over the wire. But if anyone
can
set up a self-signed cert then what? So we have ‘certificate
authorities’
like Verisign. The idea is that if the cert comes from Verisign then
you
can trust it.
Why?
Well, Verisign should have verified that the company applying for the
cert
IS who they say there are, all the due diligence about their integrity,
business practices, how they secure their network, their programming
techniques, that they do own the domain and the IP addresses, and so on
and
so on and so on. All the stuff that I audit for in my "day job’.
But the reality is that they actually sell a whole pile of grades of
certs.
Some of them you just have to apply for and pay the money - the only
thing
they check is that the credit card transaction goes through.
This is not a put-down of Verisign or any other cert authority. Its
marketing.
Read the licensing agreements. Unless they are doing a due diligence
check
on you as a business then what you are getting offers no more protection
than a self signed cert.
However if you as a company need the marketing panash of displaying a
known
“badge” on your pages, then that’s another matter.
The issue is WHAT ARE YOU TRYING TO ACHIEVE?
The way you’ve worded your question is open. If its asking about
technical
superiority, then technically ANY SSL certificate is equivalent to any
other
–
Never look a gift horse in the mouth.
Saint Jerome, On the Epistle to the Ephesians