The sorry tale of the (un)Secure Sockets Layer

Woody leonhard By Woody Leonhard

Two brazen Web-server break-ins this year call into question one of the Internet’s fundamental security mechanisms — website security certificates.

Because the most recent breach affected only PC users in Iran, most of us assume we’re immune. But we’re not; here’s why — and what we can do to protect ourselves.

In her Sept. 8 Top Story, Susan Bradley talked about compromised SSL security certificates from DigiNotar, a certificate authority (definition). Somebody had broken into DigiNotar’s certificate-issuing computers — all of them — and made a bunch of fake certificates for such sites as *, *, and In her article, Susan gave instructions for manually removing potentially compromised certificates from your system. Microsoft, thankfully, has recently automated this process through MS Support article 2607712.

The mainstream press has gone gaga over the story and has produced a blizzard of ill-informed and misleading reports. If you can join the words hacker, Iran, and browser with a few technical-sounding nonsense words and then speculate wildly, you, too, could be writing copy for one of the major news outlets.

Below, I explain exactly how security certificates work, and I describe the perversity of the certificate-issuing process: how we got into this fine mess and what we can do to stay out of it in the future.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

= Paid content

All Windows Secrets articles posted on 2011-09-15:

Woody Leonhard

About Woody Leonhard

Woody Leonhard is a Windows Secrets senior editor and a senior contributing editor at InfoWorld. His latest book, the comprehensive 1,080-page Windows 8 All-In-One For Dummies, delves into all the Win8 nooks and crannies. His many writings tell it like it is — whether Microsoft likes it or not.