soupdidoup

“ I haven't bought certificates for some time now, but the days where you had to provide official (governmental) documents to establish the identity of your business/domain and verify domain ownership and all had to be consistent seem to be gone. To me it looks like CA business has turned in to a crappy "make money fast" system without any reasonable checks. RapidSSL even seems to not be one of the worst of them. At least they kinda publicly document what they do. And then the "bug" is not really with RapidSSL, but with the entity behind the Equifax CA for not monitoring the validation procedures of their resellers, but signing the CSRs nevertheless. I have learned that SSL isn't worth anything currently wrg identity and trust (except for my own private CA of course :-) Even the SSL Cert for this website is from Equifax (the same CA that RapidSSL uses, too) Talking about "reasonable measures" in Mozilla CA Certificate Policy (Version 1.2) without exactly defining them in detail is IMHO blurry and not really a useful method to establish trust. From today on I will see any "trust icons" in every browser gui with totally different eyes and work through all dialogs about unsecure Certs with an ironic smile on my face. ”

Reposted by it-fail

“ As you can see from the above URL RapidSSL verifies domain holders simply by submitting PINs via automated phone calls and then sending a verification to a more or less random email address within the domain. With that procedure everyone with a clever account like keyman@ or sslmanager@ (aka something that *sounds* plausible) can order "trusted" SSL keys from RapidSSL. IMHO this is not in conformance to the Mozilla CA Certificate Policy (paragraph 7). In case of e.g. a (not so well known) Mail Service Provider this may have severe security implications when combined with pharming attacks. In combination with phishing attacks this may lead to widespread serious problems. The Root CA signing RapidSSL Certs is Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 (see http://www.rapidssl.com/cps/rapidssl_01.cer) I hereby request either demanding that RapidSSL signs their Certs with another Issuer than the above or to have the above Issuer removed from the list of builtin trusted CAs. ”

Reposted by it-fail