Monday, 1 August 2011

The Risks In Wildcard Certificates

They may not be real-world problems, but Wildcard Certificate have some definite theoretical problems. But they can be so much cheaper that users will buy them anyway.

The imperative to use SSL, for web authentication and encryption or VPNs, is reasonably universal. Competition has driven prices of certificates down over the years to the point where you can get conventional SSL certificates from reputable vendors for well under $100 per year.

Another product gaining popularity due to competition is the Wildcard SSL Certificate. A conventional certificate works on a single domain, e.g. A wildcard certificate protects all subdomains of a domain subject to the use of wildcard characters in the name. So a wildcard certificate for * protects,,,, and so on.

I have received many notes from vendors about them, both as press and as a prospective customer. Most CAs (certificate authorities) clearly see them as a way to grow markets. If you've got a lot of domains you can save a lot of money with a wildcard certificate relative to buying individual certificates for them, but not from all vendors. VeriSign, the 800 lb. gorilla in the CA room, prices wildcard certs by the domain being protected, so that they don't save much, if any money outright.

There is still a potential to save in convenience of administration with a wildcard certificate. But there are real downsides to wildcard certificates. When things go wrong the convenience may evaporate quickly. The VeriSign site lists their take on the disadvantages of wildcard certs:
  • Security: If one server or sub-domain is compromised, all sub-domains may be compromised.
  • Management: If the wildcard certificate needs to be revoked, all sub-domains will need a new certificate.
  • Compatibility: Wildcard certificates may not work seamlessly with older server-client configurations.
  • Protection: VeriSign Wildcard SSL Certificate are not protected by NetSure extended warranty.

I hope it doesn't need to be said that VeriSign, as the dominant market player, has an interest in prices remaining high, so take their advice on wildcards in that light. The last point is VeriSign saying that wildcards get a lesser level of service from them, so that's not a problem inherent in the technology, but the other 3 points are reasonable generally.

No comments:

Post a Comment