Quick Search
Most Popular Articles
- Why Can't I Copy a Large File Despite Having Larger Free Space?
- What are HIBERFIL. SYS and PAGEFILE. SYS?
- Why Do I See 'This Web Site Does Not Supply Ownership Information' in My Browser?
- What are Emoticons?
- How do You Register/Obtain DLL or OCX Files?
- How Do I Remove Add/Remove Programs Entries?
- Article Index
- Why am I Having a MSN MAILHOST/ DOWNLOADHOST Problem?
- What Do Those 404 and Other HTTP Return Codes Mean?
- What is goog-malware-shavar?
Why Do I See 'This Web Site Does Not Supply Ownership Information' in My Browser?
- 2009-07-17
- Categorized in: Why...
Newer browsers have security features designed to help you determine if a website you are browsing is a valid and perhaps trusted site. While the intent is good, the messages users get can be confusing and fear-inducing for not really good reason. Let's see why.
The messages you can get include:
- This web site does not supply ownership information.
- Verified by: Thawte Consulting cc (or some other certificate agency) but with no ownership information.
- Verified by: Thawte Consulting cc (or some other certificate agency) with ownership information.
The latter two are generally accompanied by an https: start to the URL and the information in the message shown when you are on the site indicates the level of certification the owner of the site has applied to the site. That's really all there is to it: provide a secure URL and a security certificate and you get a "Verified by..." message; don't and you get a generic (and maybe worrysome) "...does not supply ownership information" message.
Of the three, only the last one has much meaning. To obtain the certification necessary to get the required EV SSL certificate the owner has to provide a good deal of proof of ownership information to the certifying authority (plus a good deal of money as well![[Smile]](/cms/images/smiley.gif "[Smile]"){kind=small}
). Generally, only banks and other such institutions go to that trouble to convince the visiting user(s) of their authenticity (although this trend may be [and should be] changing).
Note: In any case, no matter how detailed the security certificate is, there is NO guarantee of no inappropriate or incorrect information on the site. The certificate only attests to the ownership of the site. Please keep this in mind as it's important to your interpretation of the various ownership warnings.
Let's look at each in turn in a bit more detail. [Screen shots below were taken using Firefox 3.5.1 and may differ some with your browser.]
This web site does not supply ownership information.
Taken from the CKnow site, this is what you are likely to see for most of the sites you visit. Is it bad? Not necessarily; it just means the owner of the site did not find it necessary to obtain a security certificate for the site. Since CKnow collects no personal information from you there really is no need for the site to have a security certificate or for you to have to undergo the overhead of a secure connection with the encryption/decryption routines at both ends of the connection. Most sites you visit will likely have this "warning" displayed by the browser.
Verified by: ... but with no ownership information.
Taken from the Google Mail site, this is what you are likely to see when you visit a site whose URL starts with "https:" instead of just "http:". If the URL and the certificate match it means that the site domain name as shown in the browser bar is accurate and that there is a valid security certificate for the site. Note that some small business sites use the certificate of the host for the site. That would mean that the certificate and the URL don't necessarily match so caution should be used at those sites but, even so, a mismatch does not necessarily mean anything is wrong. If concerned, contact the webmaster for the site and get confirmation from them directly. Further note that in an effort to appear valid some phishing sites have adopted SSL and have certificates issued to them so having a certificate of this type or not is no guarantee and you should be certain the site is who they say they are before entering any personally-identifying information or credit card data.
Verified by: ... with ownership information.
Taken from the site of an insurance/banking site often used by military members, the USAA certification provides an example of the EV certificate (EV = Extended Valuation). This simply means that they have gone through a rather extensive process to prove to the certifying authority that they are who they say they are. This is the best of the certifications but it's also harder to get and more expensive. Indeed, the expense is one of the reasons smaller businesses have used to lobby against the various ownership information displays. But, over time, the cost has come down and you should expect to see more serious business sites having this sort of certification instead of the more generic certification without ownership information.
But it bears repeating: No matter how detailed the security certificate is, there is NO guarantee of no inappropriate or incorrect information on the site. The certificate only attests to the ownership of the site.
When I visit my website there is no padlock!!!
So I click on the favicon and it says
This web site does not supply ownership information.
Something I've always wondered is what's to stop an otherwise legitimate authority issuing certificates that purports to confirm ownership to unsavoury people in return for large amounts of money?
Or worse, what's stopping a criminal organisation from setting up an apparently legitimate authority that then issues certificates to both genuine companies and crooks? Or perhaps using the data they collected on genuine companies to buy certificates from a reputable authority?
Actually, I think what I'm really asking here is: Who's making sure the certificate issuers are legit?
http://en.wikipedia.org/wiki/Certificate_authority
Sorry but that statement is wrong. ALL businesses that want to do e-Commerce on their website, including banks, MUST have a certificate. Without the valid certificate, the cart cannot be enabled to take credit card information on your website.
My company, for instance, has such a secure site here: https://secure.m2osw.com
We use godaddy for our certificate and it shows on the left side of the screen (below the menus.) That is another important point in regard to having a secure site.
Of course, many hackers will use free certificate, or individual certificates (that are really cheap) and put that on their hacker website... which is not properly verified. That's where you get a complicated set of things happening and why a secure site is not automatically a secure business!
Best,
Alexis
Note that GoDaddy does offer EV SSL for about $99/year. (i.e. Premium SSL).
Maybe my company will switch to that soon.
Thank you for taking the time to reply!
Alexis
Thawte's EV SSL Certificate costs $600 a year.
Answerable.com which sells Thawte's Certificates have a much cheaper pricing. (http://answerable.com/digital_certificate.php)
Web Server Certificate : $84 a /year - this is same as Thawte's SSL Web Server Certificates. But there is no mention of EV or not. I wouldnt be surprised if the EV comes with $84 a year.
[There are a number of discount sellers of these certificates. --DaBoss]
Thanks for being there.
Jim
I've wondered why and where da above message came from.
Now I'm pretty much relieved with that
Is it O.K for me to put your wonderful writings in my blog to share that useful information of yours with my people after your permission? Of course I'll put down there your source url address though.
Waiting for your reply.
Thanks once again.
Harry
In general, copying CKnow material in substance in a blog or other page is NOT allowed. If the material is published even with a link given then there would be no reason for someone to come here to get the information and that's counterproductive for me. Feel free to comment and link but not copy and link. For example...
"I found this great page on the Cknow.com site that explains those messages about website ownership and why there is really no problem with most of them. See that here [linked]."
...would be just fine. However, a repeat of the reasons and most of the substance of the article and then a link would NOT be fine.
Thank you for asking and I hope you see the difference and understand why.
a) the Certificate Issuer PKI hierarchy is not registered at cert database of browser, and
b) The real location of files is not owned by super-user (a WebServer configuration problem).
The "scrap" message has NOTHING RELATED to EV certification.
Building PKI tree (CA Self-Signed, CA Service , Final certificate) following the RFC5280 and fixing "WebServer configuration" are enough to stop the problem.
EV certs provides other OIDs that only show WHO is responsable for that certificate (jurisdiction, real address of individual between others policy OIDs). There is "no secret" key beside this. Visit www.cabforum.org and read the EV Guide. It is free!!!. EV is not a solution, because it ALSO MAY BE FORGED as any other Certificate after visited a malicious web page with some "cracking code". EV is a "money solution" for "Big Jangle Enterprises".
Thanks for the information.
"This web site does not supply ownership information."
Oh! Should I now NOT trust this site?
One more "boon-dangle" to confuse the average Internet user!
[Most don't. For this site it's just not worth the effort or money to do so. I've got no active content to make it necessary. --DaBoss]
[I don't use one and so have no direct experience but many website hosting providers also have a certificate they can provide. One other suggestion, besides a simple Google search, would be to see what certificate providers the big players (any major site) use as you know those will be good sources but expect to pay more in all probability. --DaBoss]