Question:
Obtaining a client SSL certificate using false/misleading information?
Donny Bahama
2009-09-03 22:21:35 UTC
I know there are laws that cover computer encryption, but is there one (or more) that specifically covers the acquisition of an SSL (client) certificate using falsified identification information?

Example: A website requires me to obtain a Class 1 client (browser) certificate from a Certificate Authority in order to access their website. I go to (e.g.) Verisign's website and fill out the form, but I use a name and address other than my own. The certificate is issued and installed into my browser. Now I go to that website and it reads the certificate and lets me in.

Clearly that's deceptive and fraudulent, but have I broken the law? If so, can anyone tell me the specific law(s) -- and maybe the "punishable by up to..." info?

Many thanks!
Three answers:
2009-09-03 22:31:34 UTC
Most companies validate your domain and organization through government records before issuing the SSL. The reason for doing this is to restore confidence among visitors that a website operator is a legally established business or organization with a verifiable identity. So it might not be "illegal" so to speak to have the SSL issued under a different name.



The validation just proves that you're a legal entity. Otherwise anyone can claim they are such and such company and it could be used fraudulently and lead to lawsuits, assuming the original company decided to pursue for damages and fraudulent use of company trademarks.



-Ryan M., Server Engineer @ http://www.hosting.com
2016-04-10 02:04:56 UTC
secure socket layer: Every SSL Certificate is created for a particular server in a specific domain for a verified business entity. Like a passport or a driver’s license, an SSL Certificate is issued by a trusted authority, the Certificate Authority (CA). When the SSL handshake occurs, the browser requires authentication from the server. A customer sees the organization name when they click certain SSL trust marks (such as the VeriSign Secured™ Seal) or use a browser that supports Extended Validation. If the information does not match or the certificate has expired, the browser displays an error message or warning.
2009-09-03 23:11:09 UTC
the company gave you the certificate that checks out as legit , even though you used someone else name and address is entirely a lie by you. The only one that has to live with what you have done is you.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...