Headline FeedsTechNewsWorld Talkback
|
|
Re: Fraudsters Can Easily Buy SSL Certificates, Researcher Finds
Posted by: Scott M. Fulton, III 2010-04-04 14:29:36
See Full Story
Two university researchers discovered at a recent security conference that security companies often deal with governments that can compel certificate authorities to produce SSL security keys for them. Those keys can then be used to sign certificates as any other Web site, enabling a law enforcement authority -- hypothetically speaking, of course -- to spoof virtually any other site. However, you don't need to be a government to compel a certificate authority to issue an SSL certificate for a major Web mail service of your choice. You just need a valid credit card.
being how many legit sites I have run across with either out of date, or invalid certificates (the later usually due to some stupid thing, like hosting major files/documents on a site without a certificate, then trying to use their main site's certificate to authenticate it.
Just goes to show how, basically, useless buying "proof of validity" is, instead of having... I don't know.. but something that is harder to screw up.
After all, while some idiots are likely to use their own credit card to create a fake cert, the brighter ones are going to do it by using the credit card numbers they are scamming off the people they need a fake certification to scam in the first place. Its like having an issuing agency provide a serial bugler a "right to own lockpicks", based on fake SSN numbers, and never noticing (possibly the worker is blind, kind of like the sites are?) that the guy who keeps coming in for them is claiming a different name every time. Obviously, a credit card isn't sufficient evidence for who the person is. Duh!!
Just goes to show how, basically, useless buying "proof of validity" is, instead of having... I don't know.. but something that is harder to screw up.
After all, while some idiots are likely to use their own credit card to create a fake cert, the brighter ones are going to do it by using the credit card numbers they are scamming off the people they need a fake certification to scam in the first place. Its like having an issuing agency provide a serial bugler a "right to own lockpicks", based on fake SSN numbers, and never noticing (possibly the worker is blind, kind of like the sites are?) that the guy who keeps coming in for them is claiming a different name every time. Obviously, a credit card isn't sufficient evidence for who the person is. Duh!!
