24 April 2009

Put Your Own Organisation's Name On It

This week a friend contacted me about his business website. It seemed his company had paid for both a .co.uk and .com domain name, but the latter was not currently mapped to her site.

It seems the web developer wasn't being co-operative and she was asking for some advice. It appeared that neither domain were registered in my friend's company's name—both named the developers. This makes things much more difficult if the developers are slow to respond to change requests, or fail to renew your domains, or you fall out with them or they go out of business.

But I came across another example on Wednesday. I had to drive through London and later in the day I went to pay the £8.00 charge using the congestion charge online payment service from Transport for London.

Partial screen capture of a web browser's address bar with the URL https://cclondon.tfl.gov.uk/cclondon/payments/paycharge/pay.aspx and showing part of the web page

I looked at the SSL certificate's details and was very surprised to see the organisation named on the certificate (known as the distinguished name field for organization) was not "Transport for London" but "Cobweb Solutions Ltd", presumably this company. SSL certificate security information stating the connection to cclondon.tfl.gov.uk is secure and the certificate is issued by Thawte Premium Server CA SSL certificate information stating the certificate name details are 'cclondon.tfl.gov.uk, Cobweb Solutions Ltd, Sydadmin Team, Fareham, England, GB'

Whilst this may not be contrary to the SSL Protocol Specification, it is contrary to expectations and good practice. If this were a retail website (where you choose to buy rather than being obligated to pay!), would a cautious potential customer trust the site? The information has also given away vital clues to a malicious user on the software development company and thus perhaps possible approaches to breach the system. Cobweb Solutions' own site has a shopping basket/e-commerce system that has a similarly attributed secure certificate:

SSL certificate information stating the certificate name details are 'shop.cobweb.com, Cobweb Solutions Ltd, Sydadmin Team, Fareham, England, GB'

Like domain names, your own website SSL certificates, regardless of SSL certificate type should be in your own organisation's name, not anyone else's. In fact this also usually makes the proces of purchasing a certificate simpler.

On my friend's domain name issue, she has contacted the relevant domain name registrars using their disputes process to ask for the details to be updated. She is also checking whose name is on the web hosting contract.

Posted on: 24 April 2009 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Put Your Own Organisation's Name On It
http://www.clerkendweller.com/2009/4/24/Put-Your-Own-Organisations-Name-On-It
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/4/24/Put-Your-Own-Organisations-Name-On-It
Requested by 38.107.179.224 on Tuesday, 7 February 2012 at 21:30 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2012 clerkendweller.com