[conspire] question about "thawte" - how secure are websites covered by thawte
Rick Moen
rick at linuxmafia.com
Thu Sep 3 15:02:39 PDT 2009
Quoting Darlene Wallach (freepalestin at dslextreme.com):
> As far as VeriSign goes, I know how to spell it since you wrote it
> down for me. How secure are websites covered by VeriSign? How likely
> is it someone can crack the site and get the confidential information
> protected by VeriSign?
Um... VeriSign, in acting as an SSL Certificate Authority that signs
customers' https SSL certificates, isn't making any statements
whatsoever about security behind the scenes at the site. The SSL cert
merely makes a kinda-sorta statement about whose SSL cert it is.
Really, all that happens is that your Web browser doesn't pop up
a warning about the cert, solely because it detects that the cert
has been signed by a known CA (that's in the browser's list of CAs
whose word it's willing to take).
The site in question could easily have been taken over by the Russian
Mafia, Colombian druglords, _and_ the Bavarian Illumnati, who severally
and jointly have dug their hooks into the site's back-end databases,
Web code, etc., and are using the firm's long-term capital assets as
petty cash funds. The Verisign signature will still continue to
validate on the site SSL cert.
More information about the conspire
mailing list