8/20/2009
05:35 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

Why I Refuse to Update My Website Certificate

Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.



Every year or so, someone reports a supposed security vulnerability in a site that I run, warning me that the certificate has expired. I always respond that I would be happy to update it when I get a free moment, but that it is far from a priority.Certificates do not certify the site is real -- far from it. Certificates don't indicate trust -- that's a scam that earns certain security vendors quite a lot of money.

Anyone can buy a certificate for their Website by indicating they own the domain, with little verification, and in some past cases, no verification at all. Certificates cannot be completely trusted to verify ownership.

And certificates don't really mean that a site is real, only that it's domain name is real. They're abused all the time: criminals break into servers and host their malicious sites on the sites hosted there, using certificates stolen from these sites owners.

Why then do I even bother with a certificate?

My site's certificate is self-signed. It has no trust when it comes to indicating I am who I say I am, but it does encrypt the traffic to and from it. Communication encryption is the only viable reason to use a Website certificate.

If you run a public Website, buy a cheap certificate, but not for providing trust. It will at least provide encryption to protect against eavesdropping.

Besides, users don't check certificates. They click "okay." So even if the certificate did convey any sense of trust, its use would be limited to experts with time on their hands.

And certificates are also money-makers: vendors sell a false sense of security by providing a small picture to put on your Webpage that certifies you are "Hacking Safe." But that's misleading.

You shouldn't trust Web certificates. Still, there are no alternatives. Perhaps it is time we came up with a real methodology to verify Websites rather than perpetuate this defunct technology.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

 

Recommended Reading:

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service