Current solutions

SSL prevents eavesdropping during the transfer of data and the substitution of data (the so-called man-in-the-middle attack), but it does not offer any sort of verification of the recipient. This means that we have no way of knowing who the recipient really is, since they can choose any identity they wish.

Below: transfer of information with and without SSL.

In spite of that some suppliers of SSL certificates offer verification. But there are many problems with this kind of verification:

• SSL (secure socket layer) was always meant only to be a secure transfer protocol and as such is unsuitable as a verification service.

• Websites verified with SSL are only verified under secure https protocol and show no verification under http protocol (which is far more common).

• SSL can be bought or rented with the website – verification included.

• The verifier is the technology solution company (low reliability of the verified information).

• Each website has to be verified separately (high costs).

• In the case of buying a low cost SSL certificate there is no verification at all. But the final result, safe data transfer, a „lock“ in the browser and a yellow address bar, is still the same.

In the end visitors cannot differ between different SSL certificates – all show the same lock on the bottom of the browser. In the end SSL companies can only guarantee the secure transfer of information through the SSL – also to the wrong recipients. And this is exactly what is happening – cyber criminals now start to use low cost SSL certificates for increasing the level of trust. Many of the latest phishing websites had SSL certificates!

We can expect that the trust in SSL certificates will fall in the future, only because they are marketed as something which they were never meant to be – a verification service.