Hacker News new | past | comments | ask | show | jobs | submit login

What good is verified communication when you can buy an SSL cert with pretty much any fake information you want.



No good at all. Which is why you can't buy an SSL certificate that claims to be onlinebanking.bankofamerica.com.


I'd like to know where I can buy a cert this way. Pretty please.


All that's require are scanned documents. And these documents can easily be tampered with or photoshopped. You may think your company details are checked before the cert is issued, but that's crap. We email our docs to a US company, and all the docs are issued by Irish government departments. There's no way in hell that some guy in what amounts to a call centre in the US has access to any Irish database to prove or disprove their validity. SSL certs are a crock of shit - all you need to do to get one you're not entitled to is to be slightly outside the norm, and claiming any small country as your location is good enough for that. Hell, you could make up your own government departments and documents, and that'd be good enough for must of these companies.


Give me a break. This is like saying all online security is a sham because I can always physically break into your office. You know how many times a real CA has fucked up and accidentally issued a Bank of America certificate to organized criminals in Estonia? ZERO.


You can say it's crap all you want, but until you've worked inside a CA and seen what goes on - you know shit. Good luck ordering a cert with your 'shopped docs...


You can't. Seriously, try it. You can't get a 'proper' cert unless you go through the background checks. You can't get a domain-only validated one unless you control the domain.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: