When you’re shopping for an SSL Certificate, your primary concerns are usually the price, validation type, issue time and browser compatibility.
When analyzing the specifications closer, you discover that every SSL product comes with an SSL Certificate warranty. The warranty ranges greatly from certificate to certificate. Whether it’s just $10,000, or a whopping $1,500,000, an extra assurance in case of data breach is always welcome.
The SSL Certificate warranty covers any damages that may derive from improper issuance of a certificate to a fraudulent entity. For example, if a user connects to a website that is a scam but has obtained a certificate from a recognized Certificate Authority, it can do many legal actions against both the site and certificate issuer. Here’s where SSL warranty can be a bit misleading because the owner of the SSL Certificate can’t claim it. The warranty applies to the end-users only.
Let’s say a person buys a product from a secure HTTPS site and this leads to a money loss. In this case, the end-user is entitled to claim a warranty compensation. The Certificate Authority will cover the losses according to its terms and conditions.
One thing SSL warranties don’t cover is phishing sites. If you give your credit card details to paypal.com.scam.net, even though that shady domain might be verified by a Certificate Authority, that’s still your negligence. Always check the URL carefully before giving your sensitive data to a website. In this example, the warranty could be used only if a Certificate Authority mistakenly issued an SSL certificate for paypal.com to an entity who is not PayPal.
It all sounds simple and straightforward in theory, but has anyone ever claimed an SSL warranty?
We’ve already crunched the numbers and proved that breaking the SSL encryption requires a herculean task. So, the human factor comes into the equation only during the verification and issuance process. While it’s extremely rare for a Certificate Authority to issue an SSL certificate to a fraudulent entity, such precedent exists. Unfortunately, when it happened, the CA lost all the trust and ability to conduct business and went bankrupt within a month of that scandal.
DigiNotar’s fast decline
This sad story is about DigiNotar, a Dutch Certificate Authority that in 2011, issued an SSL certificate for Google.com to someone other than Google, who in turn used it to re-direct the traffic of users in Iran. An investigation conducted by the Dutch Government revealed that 300,000 Iranian Gmail users were victims of man-in-the-middle attacks. In the wake of these events, DigiNotar filed for voluntary bankruptcy and ceased its existence.
The SSL industry has learned some harsh lessons in 2011, but, as result, it became stronger and better regulated. Today, the SSL Certificates follow strict security and issuance protocols that make it almost impossible to breach the encrypted data. Some armchair experts claim the SSL warranty is just a marketing gimmick. However, no one can predict the evolution of cyber-threats and their devastating effect on web security. In an unlikely event of data theft, the only thing to save your money will be the SSL Certificate warranty.