No-Frills Digital Certificates May Pose Security Risk

A low-cost service from GeoTrust Inc. distributes digital certificates to new E-commerce sites within two hours, but some worry that the no-frills offering will undermine trust in online transactions.

With QuickSSL, GeoTrust simply verifies that the person buying the certificate owns the domain name or is authorized by the domain administrator. Once the verification is accomplished, GeoTrust issues digital certificates for $119 per server; the certificates encrypt data between servers and browsers. "This lack of authentication greatly increases the chances of fraud," warns Gartner analyst John Pescatore.

By comparison, GeoTrust's True Business ID service verifies the legitimacy of a business by conducting a detailed background check--a process that takes two days and costs $199 per certificate.

GeoTrust's automated process makes it too easy for anyone to use stolen credit cards or identities to establish what appears to be a legitimate business, Pescatore says. Customers who see the lock on their browser assume the site is secure and that the Web merchant has been authenticated. "That's been standard business practice until now," he says.

GeoTrust customer Ralph Wilson bought a True BusinessID certificate for his Internet marketing Web site because it was better than market leader VeriSign Inc.'s. "I have a problem with [GeoTrust's] QuickSSL product," he says. "They've cheapened the process and lowered the level of security by not further investigating the company or person buying the certificate."

But QuickSSL has found quick success. Since its launch six months ago, GeoTrust's share of the Web-server digital-certificate market has increased from 6% to 9%, according to consulting firm E-Soft. GeoTrust CEO Neal Creighton expects the service will help propel that figure to 30% by year's end.

Creighton contends QuickSSL is secure as is. But the vendor plans to add a software-driven feature in coming weeks that will randomly ask customers for their phone numbers, automatically call them, and record their voices to help verify their identities.