So, a user has a SSL error, and there appears a certificate that has nothing to do with the site he's supposed to be accessing. It's marked as invalid (nevermind) and is from a CA I have never heard of, called Valicert.

It seems to be a valid CA, its certificates mostly validate, etc, but something is fishy (besides the fact that there is a freaking Valicert certificate where there should not be one and I have no idea why).

It seems Valicert is or was owned by GoDaddy, which should already be a problem, but it gets worse. The URL for the CA? which is not configured as a site. Then I try which does exist but is not about a CA but about AxWay, a "Business Interaction Networks company".

It contains nuggets like "What can our cloud-based community management solution do for your bottom line?" and "Is your file transfer system visibility-impaired?" and "Our award-winning products, solutions and services enable the business-critical transactions required to accelerate performance within and among enterprises – while providing management, security and governance on interactions throughout business networks."

And then I had the (bad) idea to try ... a picture should be enough:


AxWay, you are lame.

These bozos, this company that dares offer file transfer whatnots and has "award winning products"... has a self-signed certificate, that expired in 2010, for localhost freaking localdomain in their public webserver.

So, I am guessing Valicert doesn't exist anymore, godaddy kept the CA alive until all certs expire and for some reason AxWay is a bunch of incompetents who bought the domain (but why???) and really, trusting CAs is getting harder each day.


Comments powered by Disqus