Impersonating secure web servers



Find out why you can’t trust your web browser or certificate authorities.

If you’re reading this magazine, a large portion of your life is likely handled through a web browser. Online banking, shopping, bill payment, social networks, news – you name it and chances are you can do it with a web browser. To do these things safely (especially the things like banking), you need to trust your web browser. However, your web browser can’t magically verify that is actually your bank, which is why SSL was invented.

Read full article as PDF:

054-055_kurt.pdf (2.16 MB)

Related content


  • Good news - Verisign removes dangerous addresses

    From Verisign (Bug 556468):
    Hi, I did want to provide an update from our side and say that VeriSign will be
    removing the following generic approver email options for GeoTrust and RapidSSL
    as of tonight or tomorrow night:

    - ssladmin, sysadmin, and info

    We did have these planned for removal in our upcoming release, but have
    acceralated that to tonight or tomorrow night. We will post an update once
    these are removed.

    Our hope is that Mozilla will work with the other CAs who use these options for
    domain validated certs to have them remove these asap as well.

    However this means that "domain verification" still consists of checking one email address and nothing else, but at least the easily obtained email addresses have been removed. If anyone knows of other CA's still using addresses such as ssladmin@ please contact me at
  • Turktrust and government

    Turktrust lives and operates in Turkey. Thus the Turkish government can order/force/etc. certificates to be issued (for example to intercept communications between say a PKK website and its members). Or for anything really. If a company like Turktrust was restricted to issuing certificates for Turkish entities with domains names only ending in .tr (not .tk as I originally said, my bad) then I would have very little trust issues with them, but since those types of restrictions are not currently supported a root CA can do anything they please. Thus certificate authorities in countries with governments that are less open and subject to fewer checks and balances are potentially very dangerous to users of Firefox worldwide.
  • TurkTrust

    TurkTrust is a private company which is entitled to issue sertificates according to their web site. I don't have a clue about how good they do their job. But I don't see the connections you are making between TurkTrust, Turkish government or .tr/.tk whatever domain. AFAIK being CA and giving out domain names ending with .tr or any other country code are different matters.
  • tk/tr - my bad

    Apologies, that was a typo, I was specifically talking about the Turktrust certificate (first one listed in the certificate store if you look), I should have double checked the TLD I typed but my brain told me .tk so I typed .tk, mea culpa.
  • An industry problem with DV certs

    This is the problem with DV (Domain Validated) certs. You don't know who you are dealing with. (How can you trust what you can't really see? ) DV certs need to die a horrible death. There is only a few places where a DV cert is worthwhile. That is on your website's control panel (or anywhere that isn't intended for other users than yourself or a few "employees".) or your company's webmail (for employees, not customers). Because if you can't trust your own company to exist or be who they say you are, who can you trust?

    The place to get these DV certs out of the industry is the CA/Browser forum( It's because of Companies like Verisign (Owners of RapidSSL) and GoDaddy that DV certs are popular because they are so "inexpensive". Other CAs are FORCED into offering them and unfortunately it is a dog eat dog world out there.

    There is one minor browser vendor (Comodo, which is also a CA) trying to do some good to get these certs out of the way by displaying a little warning about any DV cert it comes across. There may be a few false positives with it, but over all it works pretty well in my uses. Sites that I didn't think would use DV certs DO! (Twitter and Facebook come to mind and that's pretty sad). Here's a link to the writeup that Netcraft recently wrote up on said browser (Comodo Dragon).

    If we all voice our thoughts, we can get these pathetic excuses for a cert OUT of the marketplace!
  • .tk

    tk -> Tokelau

    How much time does it take to check what .tk stands for?
  • Domain .tk

    .tk is not Turkey. .tr is.
comments powered by Disqus

Direct Download

Read full article as PDF:

054-055_kurt.pdf (2.16 MB)