« Splint and variadic macros
India win Twenty20!! »

SSL site seal

I don’t follow the rationale behind SSL site seals, which are usually marketed as an add-on to higher-priced X.509 certificates. What is the advantage of asking a visitor apparently on your website to click on an image, and go to a 3rd party website to verify a site’s certificate? It brings a false sense of security, as users who don’t know about SSL can be fooled into visiting a dummy non-SSL webpage with the site seal.

Your web browser already verifies the CA’s signature on the presented certificate. Many popular browsers also let you view information about the Subject and the Issuer in the certificate. If the site seal was created because a certificate may have been revoked and the browser hasn’t checked that, then the same can be said for the certificate that the CA’s website hosting the site seal sends.

On the subject of SSL certificates, it is high time that Firefox added a box next to the location bar, which displays the organization (O) of the Subject DN in the X.509 certificate when visiting a website over HTTPS. Right now, hovering over the padlock displays the certificate authority that signed the certificate. A user like me would be more interested in seeing the organization that it was issued to.

This entry was posted on Saturday, September 15th, 2007 at 8:34 pm and is filed under Web. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “SSL site seal”

  1. erik Says:
    September 16th, 2007 at 2:25 am

    If you want to fix one thing that is entirely wrong behavior and genuinely dangerous then fix the browsers to be extremely whiny about silly self-signed certificates without ability to disable that behavior, ever.

    The amount of false security generated by those amateurish hacks and lame administrators is plain destructive.

  2. David L Norris Says:
    September 16th, 2007 at 10:14 am

    We had one of those silly seals on our company’s web application. I noticed one day some scripts were taking 30 seconds or more to load. Which meant that the page appeared to be done loading but the Javascript onload event never triggered. After a few moments of investigating I noticed it was the SSL cert seal that was holding it up. I removed the seal from all the scripts and everything started loading instantly. So all of our apparent performance problems were caused by that seal being hosted on a slow server.

Leave a Reply