Now that IE7 is finally tightening down security, it’s becoming readily apparent which companies have been overly lazy with their SSL Certificates.
Google, for example, has only bought 1 SSL certificate. Just for www.google.com. So, when you go to any secure site that isn’t www.google.com, you get certificate errors. In IE7, this isn’t just some little popup, it actually stops the entire page from loading.
This is good.
What’s bad is that Google hasn’t fixed this problem in over 2 years. More browsers should be blocking misconfigured SSL certs. Maybe then Google would fix it.
The irony, of course, is that the day after IE7 went into beta 2, Google fixed their homepage so you could add Google as the default engine to IE7. But, 2 weeks later, they still haven’t fixed their certificate issue. And y’know what? I’m using Google services less as a result.
February 17th, 2006 at 1:03 pm
Of course we could be focusing on totally different issues here, but I’m focused on the statement: Google, for example, has only bought 1 SSL certificate. I’ve always thought it was an issue when sites had tons of security certificates. Why? Because, ultimately, I feel the point of a security certificate is to determine if the verified connection is with a site you trust. And to that, really how many alternative names do I have to know for a single vendor?!!
Sure Google is easy. Most of its projects or products end up with Google somewhere in the name. Except Orkut (well maybe there are others I don’t know of). But for example, one of my credit card companies: Household Bank, which has a slew of certificates. I could spend a week, ironing out the maze, and I still can’t figure out if HSBC is Household’s new name, the name of a parent organization, the name of a network, or some other possibility.
Nothing against any of them, its just they purchased a bank where I did know these details, and now I get issued a slew of ‘random’ security certificates; and I could delve in further, but have probably erred on the side of error, by just saying well they’re all associated somehow.
Obviously, you could be focused more on the second part of your statement, regarding configuration (assuming there is a way for a organization to purchase a single security certificate and use it on all the sites they manage and maintain as part of that sites network), but if, assuming that for proper configuration, each site in a network needs its own security certificate, then I’d say thats an issue with how certificates are generated. I’d rather have a single certificate that is easily, readily, and distinctly traced back to Google, Apple, Household, or even the complex that owns my local movie theatre, then have to decide for each certificate that pops up, what’s its relevance to the site I’m visiting.
That was possible garbled, so let me restate. If I’m visiting Household VISA, and they are owned by HSBC, then I’d rather receive a single certificate from HSBC, perhaps with an owner badge, so I can mentally say “O’ Household is owned by HSBC? Who’s HSBC?” and research, decline or accept. But now, I receive a myriad of certificates, all or most perfectly valid, but I rarely know who the assigned company is in the maze of security.
February 17th, 2006 at 3:28 pm
Actually I agree that you should only get certificates for the site / company you’re visiting.
And, yes, there are “all encompassing” certificates that companies can buy, so Google could fix this issue very, very quickly if they wanted to