* Posts by robjs

2 publicly visible posts • joined 11 Apr 2011

How is SSL hopelessly broken? Let us count the ways

robjs
Happy

further proof

and if it were true. member of the public wouldnt be spotting things like this....

http://www.theregister.co.uk/2011/04/11/ceop_website_security_glitch/

robjs

no profit, no validation

To Quote... "Abdulhayoglu is also critical of the entire certificate market for selling credentials for as little as $8 apiece. The low cost means CAs can only turn a profit by doing as little vetting as possible and relying on automated mechanisms that are more susceptible to attacks than those that require the intervention of humans"

This is a very important statement. The low end market is indeed flooded with cheap SSL offers, but that market is dominated by 3 major CAs namely RapidSSL, GoDaddy and you guessed it Comodo.

So by his own admission, Abdulhayoglu admits that in order for his company to turn a profit in this highly competitive market, Comodo (as part of that network offering low cost SSL certificates) must do 'as little vetting as possible'.

This is made even more worrying due to Comodo recent promos including free upgrades to EV SSL.

A question: If it’s hard to turn a profit on Domain Validation, how the hell does this company make any money on Extended Validation by giving it away free.... do they do 'as little vetting possible' here as well???

A CA is paid to validate to the very highest of standard as set by the industry and the CAB forum guidelines. Sorry but if you can't make a profit, don’t cut back on the rules and misissue certificates. Bow out gracefully and let the other companies get on with doing their job properly

If Comodo is therefore a big Enterprise player as it claims, then surely it does not need to sustain itself from this low end, unprofitable DV market. It can stand proudly on its soap box and lead the market away from DV certificates. if they are so dangerous and no profit to be made then what is to stop them?

It’s a case unfortunately that Comodo is the worst culprit in low cost certs and has to seek alternative methods to save costs to increase margin. That is why they employed an number of RAs to do their job and it back fired spectacularly. Now they try to mask that as an industry wide problem!

Come on, wake up everyone.