Godaddy is fingered for dodgy SSL certificates

MANY CERTIFICATION AUTHORITIES (CAs) are failing at their job of validating the identity of secure web servers due to their own insecure practices, according to the Electronic Frontier Foundation (EFF).

CAs are signing Secure Sockets Layer (SSL) certificates for names that are unqualified, which is a major problem because it shows that the certificates they sign are not being validated properly.

CAs should only sign public and fully qualified names on the Internet, and the existence of unqualified domain names could cause security problems due to man-in-the-middle attacks.

Using data from the EFF SSL observatory, researchers revealed how many CAs are signing unqualified names. They include the web hosting firm Godaddy, by now infamous for being led by an unabashed elephant murderer, which was "by far the worst offender".

The EFF's technology director Chris Palmer said, "The most common unqualified name is 'localhost', which always refers to your own computer!"

"It simply makes no sense for a public CA to sign a certificate for this private name. Some CAs have signed many, many certificates for this name, which indicates that they do not even keep track of which names they have signed."

In a further post, Palmer also revealed how CAs have also been signing certificates for domain names that were qualified, but completely meaningless.

The recent Comodo hack showed how important it is that CAs get it right, prodding Google into revealing the work it is doing to survey, catalogue and check SSL certificates. µ