False SSL certificates?

I would like to know if it is possible for the bad guys to make a false SSL certificate, or if I enter a site with a SSL certificate, can I assume to be safe?

SSL certificates are generated and issued by what are known as Certification Authorities (CA), and these are registered and recognised entities and this can be verified by checking the details of the certificate. Where they can go “wrong” is the degree of verification that a CA does on whoever is applying for a certificate. Some CA’s (like Comodo) are scrupulous in ensuring that the entity applying for a certificate is the entity they are claiming to be, their purpose is legitimate, their ownership is verifiable etc. Others are not so thorough.

Ewen :slight_smile:

So it is not possible for phishers to make their own certificates and claim that they’re from Comodo, VeriSign or whatever? From a logical point of view, that sounds possible, but I don’t know anything about it.

A SSL certificate contains info about the Certification Authority (CA) too. Every updated browser recognize trusted CA and thus alert the user if the CA is unrecognized.
If someone were to claim he was from Verisign or Comodo the browser will point that out.

I guess that everyone could build a SSL certificate and use it for personal/private use (it’is possible to add personal certificates to our browsers) but as soon as the site is public an official Certification Authority is needed.

Those CA take on the task to assure the identity of the cetified entity.

Anyway not all Certificates are equal. Higher price ranges bear higher warranties.
Also the certificate strength should be always on a level that can bear the value of the transaction.