Why I Refuse to Update My Website Certificate
Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.
August 20, 2009
Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.Certificates do not certify the site is real -- far from it. Certificates don't indicate trust -- that's a scam that earns certain security vendors quite a lot of money.
Anyone can buy a certificate for their Website by indicating they own the domain, with little verification, and in some past cases, no verification at all. Certificates cannot be completely trusted to verify ownership.
And certificates don't really mean that a site is real, only that it's domain name is real. They're abused all the time: criminals break into servers and host their malicious sites on the sites hosted there, using certificates stolen from these sites owners.
Why then do I even bother with a certificate?
My site's certificate is self-signed. It has no trust when it comes to indicating I am who I say I am, but it does encrypt the traffic to and from it. Communication encryption is the only viable reason to use a Website certificate.
If you run a public Website, buy a cheap certificate, but not for providing trust. It will at least provide encryption to protect against eavesdropping.
Besides, users don't check certificates. They click "okay." So even if the certificate did convey any sense of trust, its use would be limited to experts with time on their hands.
And certificates are also money-makers: vendors sell a false sense of security by providing a small picture to put on your Webpage that certifies you are "Hacking Safe." But that's misleading.
You shouldn't trust Web certificates. Still, there are no alternatives. Perhaps it is time we came up with a real methodology to verify Websites rather than perpetuate this defunct technology.
Follow Gadi Evron on Twitter: http://twitter.com/gadievron
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.
About the Author
You May Also Like