Newer browsers have security features designed to help you determine if a website you are browsing is a valid and perhaps trusted site. While the intent is good, the messages users get can be confusing and fear-inducing for not really good reason. Let’s see why.
The messages you can get include:
This web site does not supply ownership information.
Verified by: Thawte Consulting cc (or some other certificate agency) but with no ownership information.
Verified by: Thawte Consulting cc (or some other certificate agency) with ownership information.
The latter two are generally accompanied by an https: start to the URL and the information in the message shown when you are on the site indicates the level of certification the owner of the site has applied to the site. That’s really all there is to it: provide a secure URL and a security certificate and you get a “Verified by…” message; don’t and you get a generic (and maybe worrysome) “…does not supply ownership information” message.
Of the three, only the last one has much meaning. To obtain the certification necessary to get the required EV SSL certificate the owner has to provide a good deal of proof of ownership information to the certifying authority (plus a good deal of money as well[Smile]). Generally, only banks and other such institutions go to that trouble to convince the visiting user(s) of their authenticity (although this trend may be [and should be] changing).
Note: In any case, no matter how detailed the security certificate is, there is NO guarantee of no inappropriate or incorrect information on the site. The certificate only attests to the ownership of the site. Please keep this in mind as it’s important to your interpretation of the various ownership warnings.
Let’s look at each in turn in a bit more detail. [Screen shots below were taken using Firefox 3.5.1 and may differ some with your browser.]
This web site does not supply ownership information.
Taken from the CKnow site, this is what you are likely to see for most of the sites you visit. Is it bad? Not necessarily; it just means the owner of the site did not find it necessary to obtain a security certificate for the site. Since CKnow collects no personal information from you there really is no need for the site to have a security certificate or for you to have to undergo the overhead of a secure connection with the encryption/decryption routines at both ends of the connection. Most sites you visit will likely have this “warning” displayed by the browser.
Verified by: … but with no ownership information.
Taken from the Google Mail site, this is what you are likely to see when you visit a site whose URL starts with “https:” instead of just “http:”. If the URL and the certificate match it means that the site domain name as shown in the browser bar is accurate and that there is a valid security certificate for the site. Note that some small business sites use the certificate of the host for the site. That would mean that the certificate and the URL don’t necessarily match so caution should be used at those sites but, even so, a mismatch does not necessarily mean anything is wrong. If concerned, contact the webmaster for the site and get confirmation from them directly. Further note that in an effort to appear valid some phishing sites have adopted SSL and have certificates issued to them so having a certificate of this type or not is no guarantee and you should be certain the site is who they say they are before entering any personally-identifying information or credit card data.
Verified by: … with ownership information.
Taken from the site of an insurance/banking site often used by military members, the USAA certification provides an example of the EV certificate (EV = Extended Valuation). This simply means that they have gone through a rather extensive process to prove to the certifying authority that they are who they say they are. This is the best of the certifications but it’s also harder to get and more expensive. Indeed, the expense is one of the reasons smaller businesses have used to lobby against the various ownership information displays. But, over time, the cost has come down and you should expect to see more serious business sites having this sort of certification instead of the more generic certification without ownership information.
But it bears repeating: No matter how detailed the security certificate is, there is NO guarantee of no inappropriate or incorrect information on the site. The certificate only attests to the ownership of the site.
Prior comments from original 7/17/2009 article…
#1
Jan Cheng
Said this on 2009-09-01 At 03:39 pm
I have an SSL cert from ix-one.com
When I visit my website there is no padlock!!!
So I click on the favicon and it says
This web site does not supply ownership information.
#2
DaBoss
Said this on 2009-09-01 At 05:29 pm
In reply to #1
Create a support ticket with them and get them to install the certificate and tell you how to use their system to create https output pages.
#3
v sekhar
Said this on 2009-10-04 At 09:25 am
Thank you DaBoss. Now I’ve relieved off my worrying doubts. I see the first message very often on my wordpress blog. The information you provided is much helping to me. Thank u once again.
#4
Wayne Davies
Said this on 2009-11-21 At 05:29 am
My comment is about this: The certificate only attests to the ownership of the site
Something I’ve always wondered is what’s to stop an otherwise legitimate authority issuing certificates that purports to confirm ownership to unsavoury people in return for large amounts of money?
Or worse, what’s stopping a criminal organisation from setting up an apparently legitimate authority that then issues certificates to both genuine companies and crooks? Or perhaps using the data they collected on genuine companies to buy certificates from a reputable authority?
Actually, I think what I’m really asking here is: Who’s making sure the certificate issuers are legit?
#5
DaBoss
Said this on 2009-11-21 At 12:10 pm
In reply to #4
Nobody in particular. However, if a certificate is found to be bogus the system can be purged. See here for more…
http://en.wikipedia.org/wiki/Certificate_authority
#6
Alexis Wilke
Said this on 2010-01-05 At 02:46 pm
[Generally, only banks and other such institutions go to that trouble to convince the visiting user(s) of their authenticity …]
Sorry but that statement is wrong. ALL businesses that want to do e-Commerce on their website, including banks, MUST have a certificate. Without the valid certificate, the cart cannot be enabled to take credit card information on your website.
My company, for instance, has such a secure site here: https://secure.m2osw.com
We use godaddy for our certificate and it shows on the left side of the screen (below the menus.) That is another important point in regard to having a secure site.
Of course, many hackers will use free certificate, or individual certificates (that are really cheap) and put that on their hacker website… which is not properly verified. That’s where you get a complicated set of things happening and why a secure site is not automatically a secure business!
Best,
Alexis
#7
DaBoss
Said this on 2010-01-05 At 04:27 pm
In reply to #6
Nope. Not wrong. Please re-read. That statement only applies to the EV SSL certificate. Your site does not have that. By using the GoDaddy certificate you clearly fall into the Verified By with No Ownership information category (the middle one above). Perfectly OK for e-business but you have not taken that extra step that banks, etc. generally take by getting the EV SSL certificate.
#8
Alexis Wilke
Said this on 2010-01-05 At 11:15 pm
In reply to #7
Ah! I see. That’s recent I guess… 😎
Note that GoDaddy does offer EV SSL for about $99/year. (i.e. Premium SSL).
Maybe my company will switch to that soon.
Thank you for taking the time to reply!
Alexis
#9
Shabeer Naha
Said this on 2010-02-12 At 06:53 am
Thawte’s SSL Web Server Certificates costs $250 a year.
Thawte’s EV SSL Certificate costs $600 a year.
Answerable.com which sells Thawte’s Certificates have a much cheaper pricing. (http://answerable.com/digital_certificate.php)
Web Server Certificate : $84 a /year – this is same as Thawte’s SSL Web Server Certificates. But there is no mention of EV or not. I wouldnt be surprised if the EV comes with $84 a year.
[There are a number of discount sellers of these certificates. –DaBoss]
#11
Harry Lee
Said this on 2010-05-28 At 08:20 am
You saved my day, DaBoss.
I’ve wondered why and where da above message came from.
Now I’m pretty much relieved with that
Is it O.K for me to put your wonderful writings in my blog to share that useful information of yours with my people after your permission? Of course I’ll put down there your source url address though.
Waiting for your reply.
Thanks once again.
Harry
#12
DaBoss
Said this on 2010-05-28 At 10:27 pm
In reply to #11
Thank you for the kind comments.
In general, copying CKnow material in substance in a blog or other page is NOT allowed. If the material is published even with a link given then there would be no reason for someone to come here to get the information and that’s counterproductive for me. Feel free to comment and link but not copy and link. For example…
“I found this great page on the Cknow.com site that explains those messages about website ownership and why there is really no problem with most of them. See that here [linked].”
…would be just fine. However, a repeat of the reasons and most of the substance of the article and then a link would NOT be fine.
Thank you for asking and I hope you see the difference and understand why.
#16
Uligue
Said this on 2010-10-12 At 09:27 pm
The message “This website ….” means two things:
a) the Certificate Issuer PKI hierarchy is not registered at cert database of browser, and
b) The real location of files is not owned by super-user (a WebServer configuration problem).
The “scrap” message has NOTHING RELATED to EV certification.
Building PKI tree (CA Self-Signed, CA Service , Final certificate) following the RFC5280 and fixing “WebServer configuration” are enough to stop the problem.
EV certs provides other OIDs that only show WHO is responsable for that certificate (jurisdiction, real address of individual between others policy OIDs). There is “no secret” key beside this. Visit www.cabforum.org and read the EV Guide. It is free!!!. EV is not a solution, because it ALSO MAY BE FORGED as any other Certificate after visited a malicious web page with some “cracking code”. EV is a “money solution” for “Big Jangle Enterprises”.
#18
Bob
Said this on 2011-01-10 At 11:02 am
If ownership declaration is only needed/recommended for HTTPS:// sites then why indicate for HTTP:// sites. It only makes things confusing for consumers.
“This web site does not supply ownership information.”
Oh! Should I now NOT trust this site?
One more “boon-dangle” to confuse the average Internet user!
#19
jennie guanzon
Said this on 2011-11-26 At 08:54 pm
In reply to #18
This web site does not supply ownership information
[Most don’t. For this site it’s just not worth the effort or money to do so. I’ve got no active content to make it necessary. –DaBoss]
#20
jennie guanzon
Said this on 2011-11-26 At 08:56 pm
In reply to #18
Thanks for the information.
#21
Karen Cole
Said this on 2012-01-27 At 04:57 pm
I need the name of a excellent company where I can get the SSL certificate and everything so that it shows my favicon in the upper left of the URL bar and so that people can always freely visit (from absolutely everywhere) our storefront business website, rainbowriting.com .
[I don’t use one and so have no direct experience but many website hosting providers also have a certificate they can provide. One other suggestion, besides a simple Google search, would be to see what certificate providers the big players (any major site) use as you know those will be good sources but expect to pay more in all probability. –DaBoss]
