The names of the companies involved are omitted to focus attention on the flaws in the process. A local ISP has a nice little logo on their webpage, emblazoned with the phrase, "[Name One] Secure Site by [Name Two] Click to verify", where Name Two is a well-known international commercial Certification Authority, and Name One is a Recognised Certification Authority in Hong Kong. Clicking the logo opens a popup window titled "Certificate Information".
It is good to see companies taking security seriously, if they are doing it properly. Unfortunately, the ISP has placed the logo on an unencrypted webpage, and it is misleading to describe the link to the "Certificate Information" page as verification - the link can be used independently of the page or site the certificate information describes.
The certificate information page, served from an SSL server at Name One's domain, does give the full hostname for the server described, and a serial number and issuer digest - but it does not describe how these can be used to verify the "secure site" is the real one. It also says that all information sent to the "secure site", if in an SSL session, is encrypted, but does not mention how to recognise an SSL session.
So, as the ISP has linked from an unencrypted page, most of the information is irrelevant. As the "Certificate Information" does not describe the steps necessary for verification, only someone who already knows how to check server certificates can use the information presented. All that is left is the assurance that, "[Name One] has verified the organizational name and that organization has the proof of right to use it." - it does not even give a Business Registration Number to help identify the organisation.
Can this logo do anything other than generate a false sense of security? We asked Name One for their feedback. They responded, "[Name One] is a company to provide quality products and services to our customers. We appreciate your comments and we will review the content of our website and make appropriate amendments if necessary."
Users already have a hard time understanding the intricacies of security; we hope this scheme can be amended to something more useful and less misleading.