Saturday, May 15, 2010

SSL Certs - It's about Identity, Not encryption

What I've recently learned that is TL:DR for me:
An SSL certificate is designed to provide identification, not [just] encryption. The point of the SSL Certificate is to inform the browser that the encryption being utilized is the one being offered at the server that you think you're visiting.

A CA/Certificate Authority is an entity that offers and digitally signs an SSL certificate. It is a third party that hopefully your browser trusts to confirms the certificate your web browser sees is the one that the CA issued.

Do you need to spend money to get an SSL certificate?
No: can get you a real third-party verified SSL certificate.

If you can do that, why spend money?
Remember, an SSL certificate minimally provides identification that the SSL certificate that your browser sees is authorized by the CA for the domain name (and for the free certificate, an associated email address) that requested it. That type of information can be generally completed in an automated fashion. The next levels are generally "Verified" and "Extended Validation". Both of those require humans and time and vetting, so they might be more expensive. SSL is for identification, not [just] encryption. Higher levels of certification mean not only is the certificate pointing to the domain, but also that the domain really is the company that you want to connect to. See? Free SSL certificates are cheap. A phisher can create a look-a-like web site that has a real SSL certificate, connected to a almost-the-same domain name, and you could reasonably believe that you've entered your password -- securely -- on the correct domain.

What do you need for SSL?
If the minimum you need is a certificate for verifying that the encryption is valid for the site, maybe for your own email/Exchange Server, Cheap or even self-signed could possibly be adequate. If you're offering a secure service to the general public, you probably want to further ensure that they are connecting to the correct *COMPANY* as well as the correct domain, and therefore you'll want to go for higher levels of verification.

No comments:

Blog Archive