Let me preface these remarks with a brief comment about my Island Tel High Speed DSL service: it works. It has worked solidly for the past 9 months. I have no complaints. This is a Good Thing.
However, there is new evidence to suggest that Island Tel still doesn’t “get” the Internet. Witness the following screen shot:
Digital certificates are the means by which web clients (like you and I) can have some certainty that secure websites are, in fact, secure. A digital certificate serves both to offer some assurance that the site on the other end of the connection is who they say they are, and also that the information that you exchange with this site is kept private.
Central to the notion of the digital certificate system is that of the certificate authority, defined as:
A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.
Note that it says third-party organization. This is important. The certificate authority has to be someone that both you (the client) and the people running the website you’re connecting to (the server) trust. Trust both in a spiritual sense, and in a technical one.
Now look at the screen shot above: it’s an error message that popped up in my browser when I tried to go to the Island Tel website to administer my dial-up account. The error message message says, in effect “warning, the certificate authority that issued this certificate isn’t installed in your browser as one of the standard ones.”
And who is this certificate authority — this trusted third party that is supposed to vouch for Island Tel’s veracity?
Why look, it’s Island Tel!
The “issued to” and “issued by” are the same on this certificate. Island Tel, in other words, wants us (and our browsers) to trust that Island Tel is who they say they are.
Now that is crazy and absurd on the surface. But it’s also crazy and absurd deeper down: how do I know that the Island Tel that’s telling me that they’re Island Tel is actually Island Tel? I don’t. Any old person could set up their server with a certificate authority and claim that they’re Island Tel. I could do it. So could you.
It’s only through the intermediation of a trusted third party that I can rest easy (or at least easier) that the Island Tel website I’m connecting to is bona fide.
I first told Island Tel about this in an email two years ago. I explained it all to them in very careful language. I received no response.