SSL White Papers

Compare SSL certificates from all major certificate authorities
You don't have to take our word for it, see what the other experts say

"Additional leading sources of information have been compiled here to download and review at your leisure"

KPMG White Paper: Low-assurance Web SSL Certificates put e-commerce at risk

"In recent months, with the rise of a new business model for SSL Certificate issuance, some CAs now issue lower-assurance server certificates without authenticating the subscriber…As a result, consumer confidence in the security of electronic commerce may be at risk"

White Paper Resource
Microsoft - Authentication Vulnerability - How might an attacker use the vulnerability to spoof a trusted web site?

"The attacker would likely select an e-commerce site that users would be likely to trust, set up a web site that purported to be the legitimate e-commerce site, then create a bogus SSL server certificate bolstering that claim. If a user visited the attacker's site, the certificate would allow it to set up a valid SSL session, "confirming" that it was indeed the legitimate e-commerce site. The user might then choose to provide sensitive information such as credit card numbers to the attacker's site."


Microsoft - SSL does not work when you try to connect to Web sites that use Server Gated Cryptography certificates that are issued by Thawte

"Server Gated Cryptography (SGC) is a mechanism that permitted Web browsing software to use strong (128-bit) SSL encryption. Typically, SGC is included with products that were released before the lifting of export controls on strong encryption."

CyberVote - EU Commission - Why SSL V1.0 and SSL V2.0 are flawed

"The first public version of SSL, version 2, suffered from a number of security flaws, which have been fixed in SSLv3"

 
Additional Useful Information
Netscape - SSL Version 3 Specification

"The most recent version of the Internet Draft dated November 1996, may be viewed here. It is an ASCII document"

Dr Colin Walters - "What is the point of encryption if you don't know who you are encrypting for"

"Low Assurance SSL Certificates with no entity authentication DO NOT deliver confidentiality or integrity. Why is this? Because confidentiality and integrity are the result of being able to encrypt and encryption requires authentication"