On Wed, Feb 4, 2009 at 08:42:27 +0000 (+0000), Tony Whitmore wrote:
> The thinking as I understand it is that SSL certificates are relatively
> cheap to obtain so any "legit" business would have forked out a few quid
> for the necessary certificate. The scale of the warning is to combat the
> people who just click "accept" on any dialogue box, including security
> related ones. This is at the cost of usability of course, which is why this
> feature caused such a stink during the FF3 beta phase.
They are supposed to do some checks - most these days will send a
verifation email to a nomiated email address which should be one of
those listed in the DNS WHOIS record.
The new "EV" SSL certs do have much stronger checking done, but then
they are much more expensive. Another license for the certification
bodies to print money IMHO.
http://en.wikipedia.org/wiki/EV_SSL
Sample costs:
SSL from Verislime (Verisign): $400-1000 (normal), 1000-1500 (EV)
SSL from TrustICO (RapidSSL for example*): £15
SSL from TrustICO (GeoTrust): £36 (basic), $480 (EV)
*Now with SHA-1 hash rather than insecure MD5
Adrian
--
Email: adrian@??? -*- GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution -*-
www.debian.org
