“GoDaddy” (who chose that name?) is a Certificate Authority. I was poking around their website, and I noticed that their SSL Server Certificates offer a “$1000 Warranty“.
Obviously, CAs taking liability for issuing certificates would be a great step forward, so I looked to see if I could find out exactly what this warranty entailed. I clicked the link and got the following description:
Your Secure Certificate Provides Warranty Protection:
Our warranty program provides $1000 of financial protection for your customers if they were to suffer financial loss as a direct result of relying on a certificate that was issued through our negligence.
This sounded really good. However, having checked their legal page, I couldn’t find a document which explained in more detail exactly what this warranty was, and under what circumstances they might pay out. So I called to ask…
“Hello, Go Daddy sales.”
“Hello. I was looking at your site and noticed that you offer a $1000 warranty on your certificates.”
“Sure.”
“But I was looking around the website for the legal agreement which shows exactly what that means, but I couldn’t find it. Could you tell me where it is?”
“Certainly. Click on the green “Legal” link at the bottom of the page. There’s a list of agreements there.”
“Yeah, I looked through that list, but I couldn’t find a relevant one.”
<long pause>
“You’re right; we don’t seem to have an agreement for that. What exactly was your question about the warranty?”
“Well say, for example, I own www.happycompany.com and I have a Verisign certificate. Then, a fraudster registers www.happy-company.com, gets a certificate from you and rips off my customers. Is that situation covered? Would you pay out?”
“Well, no. You see, we’re not securing you, we’re securing the other guy. You have to be registered with us.”
“So under what circumstances might you pay out?”
“Well… you are covered if it’s through our negligence. So, for example, if the encryption failed for some reason.”
“The encryption failed?”
“Yeah.”
“But if that happened, then everyone’s encryption would fail, the entire Internet would be insecure, and you’ve got a massive world crisis. Are there any less apocalyptic scenarios where you might pay out?”
“Well, not really, no.”
“Have you ever paid out under the warranty program?”
“No. It’s really there just to reassure you that it’s a true 128-bit certificate, and to make you feel better about purchasing it.”
“Say no more. Thanks for your time.”
Gerv,
Very interesting discussion.
I, being a bit older… (in the 40-60 age bracket) just wonders whatever happened to the phrase: “Buyer, beware!”
All this discussion about SSL, PKI, CA’s, and the such…
Even my next-door neighbor can rip me off, if I don’t use any common sense.
It just seems that we’re developing layer upon layer of technology to preserve our integrity, but it seems to be more rooted in proper ‘social engineering,’ NOT ‘technology.’ Will folks just use a bit more of the common sense that they were born with, or is one of those genes that are fading away from generation to generation? :((
I deal with too many situations that folks just seem that ‘technology’ should fix, only because they can’t make a rational decision on their own.
Risk is out there, and if you’re not willing to take any risk, don’t play the game. That includes the game of life.
LarryB: Both Nelson and myself have said the same thing in recent times, until the users take more responsibility for their actions things aren’t going to change any time soon.
Have a look at this blog entry to see what I mean.
Investigative journalism at it’s best.
Just goes to show, don’t take anything at face value. My favorite is “now only half the fat”… Half of what? Half of 100X my daily allowance of saturated fat is still 50X my daily allowance of saturated fat. It’s not healthy. But to some people, that’s 50% _more_ healthy.
A good plan. I’ve turned off SSL 2 and haven’t yet had any problems. Here’s hoping we can turn it off for good soon!
Bah, ignore me, wrong blog post!
Hmm, on topic… Well yeah, if the encryption fails! :D
I wonder if Verisign have ever paid out for “VeriSign NetSure Protection Warranty”. Price: $250 000.
C|Net could learn a lesson on reporting from this.
1. Contact person involved.
2. Ask questions.
3. Acertain answers.
This doesn’t surprise me. Through their Super Bowl ad, GoDaddy exposed the evil character of their company.
And just how do you not play the “game of life”?
This is the thing that annoys me most, a lot of people see security in black and white, it’s not a matter of willing to take any risk, it’s a matter of taking calculated risks and defining if the risk out weighs any benefit, just like everything else in life…
eg. don’t eat the fish, I heard it will give you a case of mild food poisoning, but on the other hand it tastes really nice, what do you do?