Naming no names…

SSL certificates. They are no panacea, they are intended to secure communications between two points. Not really any more, not really any less. They don’t keep the wolf from the door, repel l33t people or have magical aura's. They certainly are no guarantor of what is connecting to you, or what you are connecting to - or the niceties of what is travelling between the two. for that matter either.

Sure you can have ones that are free that your browser complains about because it doesn’t trust the issuer... sure you can have ones that cost hundreds, if not thousands - special uses - many in one - coloured address bars and all. Fancy.

Three things currently come to mind when someone near me mentions SSL certificates:

1. CA Bundle dance is no fun, sucks, and really should be made simpler to complete by the CA signatories;

2. PCI scanners would have a lot less to complain about with out them;

3. Chrome, and Android are going to hate you unless you play the tune they are humming.

4. It can be the hardest thing in the world for some people to get a grasp of.

To tick the boxes, you don’t need to be some ninja either - I mean, I get along. However - without wishing to name names... and after a shocked discussion amongst colleagues and through the use of the Qualys SSL Server Test - you would generally expect the grading for a BANK or BUILDING SOCIETY's configuraiton to be tweaked and fettled... and not trumped by a blog or cycling club? No? Oh, maybe I am just being picky then.


Leave a Reply

Your email address will not be published. Required fields are marked *