[cryptography] So, PKI lets know who we're doing business with?

Thor Lancelot Simon tls at panix.com
Tue Jan 8 15:59:05 EST 2013

What do you do if even they don't know?  Today I tried to help someone
who was mid-transaction on Amex's cardholder web site, associating a
new card with their account, when the next step of their process hopped
us over to https://www203.americanexpress.com.

Which has an EV certificate from VeriSign that's been expired since
October last year.  Of course this is more likely due to error than
malfeasance, but nonetheless.  It's what it would look like, eventually,
if an attacker stole a private key just once, right?  So this isn't
something you want to go typing your financial secrets into.

Approximately an hour on the phone with American Express produced
approximately as much head-scratching among Amex employees as on my
end.  An expired certificate for a back-end server isn't among the
problems their online services help desk knows how to test for nor
can report.  Their fraud protection department refers all complaints
of web site misbehavior, even security-related, to their online services
help desk.  Their high-limit corporate card support team can create
tickets in their web development queue but evidently does not have
contact information for any relevant security department at American
Express.  The technical contacts for their domain don't answer the

In other words, even *they* don't know if the certificate in question
really vouches for them or not, and don't have any way to find out.

Can we really expect that end users will ever get that decision right?
Sure.  Sure we can.


More information about the cryptography mailing list