21

SSL certificates often advertise varying amounts of warranties or guarantees, for example $500,000 or $1m.

My question is, in the history of SSL, has anyone ever actually successfully claimed one of these warranties? Has there ever been a case? If not, is it fair to assume they are just marketing gimmicks?

Tom
  • 681
  • 6
  • 15
  • Not exactly on-topic for this site, it *might* be better at http://security.stackexchange.com/. – Cyclops Oct 29 '11 at 11:59
  • @Cyclops I tried in webmasters exchange but they closed it, I don't know where to post this – Tom Oct 29 '11 at 12:46
  • I don't think there's a site on the network right now that would field this question: it's just trivia. Definitely off-topic here: nothing to do with software development. –  Oct 29 '11 at 21:11
  • It might be a reasonable fit for skeptics.SE, since they like to debunk stuff and this warranty sounds like a whole lot of "bunk". – Roman Starkov Jul 04 '14 at 17:18

2 Answers2

16

The warranty is kind of misleading, actually, because it's not issued to the purchaser of the certificate -- it's issued to the users of the site. So say you give your credit card details to a website that's verified by a CA that offers a warranty and the (fraudulent) site takes money from you, then you can use the warranty to claim back the money you lost.

In reality, though, this almost never happens. It's extremely rare (though not entirely unheard of) for a CA to give out a certificate to a fraudulent entity. And when it does happen, it's pretty much then end of that CA -- all trust is lost and it cannot continue to conduct business. DigiNotar declared bankruptcy within a month of that scandal.

Note that it also don't cover "phishing" sites. So if you give your credit card details to "paypal.com.scammer.org" then, even though that domain might be verified by a CA, that's still your own fault. It would only be if a CA erroneously gave a certificate for "paypal.com" to someone who is not PayPal.

Dean Harding
  • 19,871
  • 3
  • 51
  • 70
  • So if I buy a cert from Registrar X, then Registrar Y gives a cert to a fraudulent site, then do users claim from Registrar X or Registrar Y? – dave1010 Apr 20 '15 at 10:18
  • So after all, I as a user can claim only the money I lost, not the whole sum. – x-yuri Dec 14 '21 at 17:49
1

No they should not be marketing gimmicks!

Certificates are not issued to just any one.

Companies that are trusted issuers, do research on someone requesting a certificate that he indeed is who he claims and that he has a legitimate business.

If for example you connect to a website that is fraud but has obtained a certificate from Verisign (mentioned as an example), I would expect that you can do many legal actions against the (both site and issuer).

SSL is based on trust which is a very thin concept when it comes to computer security.

If the trusted issuers are not doing their job good enough, then security goes down the drain.

Personally I don't know if there is any historic example on this (I hope there isn't any)

user10326
  • 1,834
  • 3
  • 17
  • 18
  • 5
    Certificates _are_ issued to just about anyone, provided they can purchase a domain. What they're not (supposed to be) issued for is people who aren't responsible for the domain. – Donal Fellows Oct 29 '11 at 17:10
  • @DonalFellows Unless your local network includes a TLS proxy. – Phil Lello Mar 13 '16 at 18:02
  • A certificate should never give trust to the company but only make sure that the connection is encrypted. Unfrotunately the CA have decided it's so much easier to make tons of money without any service if they can go with the trust thing. Dont forget that Shuttleworth made his hundert millions not from MS but used his MS salery to start Thawte and sell it to make him filthy rich. – Lothar Jun 18 '16 at 03:40