SSL weakened by market competition

Secure Sockets Layer (SSL) is being undermined as a method of indicating that web sites are secure because of the way certification bodies hand out licences.

Paul Kocher, one of the co-writers of the SSL protocol and president and chief scientist at security firm Cryptography Research, told Computing that competition between certification authorities had weakened SSL as a security technology.

"The authorities who issue SSL certificates have got into an unhealthy dynamic. Their customers want certificates issued quickly and cheaply."

He explained that the quality of these certificates – that is, the amount of rigour applied by issuing authorities in verifying the security of a web site – is invisible to internet users.

SSL encryption is a means of ensuring that the site a user visits is what it claims to be, rather than a potentially criminal site posing as a legitimate one.

The user does not know the differences between the issuing bodies so cannot distinguish between one SSL certificate and another.

Users simply verify that a site has a certificate and are reassured by the padlock icon that appears in the lower right-hand corner of their browsers.

"There is no benefit in having a certificate issued from the authority that does the worst job or the best job – the user just wants to see the little lock come on and that's all," he said.

Kocher said that browsers should let users know who has issued the SSL certificate, as not all authorities employ the same high standards.

"We should enable browsers to display who is issuing these certificates. So if you thought you were using VeriSign, and suddenly it is a certificate from a Chinese government group, you can decide what level of trust to apply."