Opera

Summary

Even though a Certificate Authority has verified and signed it, a user should not trust the Organization name without checking the domain name. A fraudulent site can carry a misleading Organization name.

Severity: Low

Problem description

A secure site is served over an encrypted connection, and has a digital certificate that has been verified and signed by a trusted third party (TTP), known as a Certificate Authority (CA).

Among other things, the server's certificate contains the server name of the secure site, the organization name and country, the expiry date and the name of the issuer (CA) who signed it. All this information can be viewed in Opera's security information dialog, by clicking the padlock icon in the address field.

To make secure sites stand out more, and to make the information in the site's digital certificate more accessible, Opera has added a "security field" in the address field. The security field currently contains the "Organization" name and the "Country" field from the certificate, and the padlock icon. It has a yellow background to attract the user's attention.

However, rather often the Organization name is not the name of the company represented by the site. For example, it is common for banks to outsource their bank site. Those bank sites can have the name of the hosting company in the Organization name, even though the domain name is that of the bank. This may appear confusing to some end users.

Some Certificate Authorities issue low-cost certificates more or less automatically without proper verification against a company registry. These CAs will only verify the domain name.

Also, the documentation submitted to the Certificate Authority can be incorrect. This can lead the Certificate Authority to issue a certificate erroneously.

Opera's response

This inconsistent use of the "Organization" field of digital certificates is well-known to Opera. The security field is intended to be used as additional information. As such it will help raise users' awareness of certificates, and may make it more difficult for a phishing attack to be successful.

The Organization name was chosen, as it provides a company name in addition to the domain name. A majority of the SSL certificates have the name of the company behind the site as their Organization name.

When visiting a secure site, the user has to make an informed choice before entering any sensitive information: Is it the right site? And is it trustworthy? If either the domain name or the Organization field look wrong, it calls for closer scrutiny from the user.

Bank notes typically contain several features that are hard to counterfeit and easy to check. SSL certificates also contain items that are very hard to fake. With the introduction of the security field one of those items, the Organization name, has become easier to check.