[Cryptography] The business of web hosting, was Commercial PKI as dog poop

[John Levine]

It appears that jrzx via cryptography <jrzx at protonmail.ch> said:
>> > A CDN is "non origin certification" ...

>I expect that if I form an SSL connection to www.example.com,
>the machine at the other end will be controlled by the owner
>of the name www.example.com

Once again, you seem to be using an Internet unlike the one the rest of us use.

To return to an example from a few days ago, when I point my browser
at my local bank's web site, I am actually talking to a service bureau
called Jack Henry Associates which many banks use. I don't know
whether they physically host their own servers or further subcontract
to Amazon or Microsoft or some other cloud provider but I don't care.
Regardless of who controls the machine, I am confident that there are
adequate business controls so that when I do a remote deposit and
upload a picture of a check, the money will end up in my account at my
bank, the same as if I'd walked down to the branch and deposited it in
person.

Looking at the certs on the web sites, even though they're all in the
bank's domain tompkinstrust.com, I see that the EV cert for
www.tompkinstrust.com is issued to the bank, the EV one for the
business banking subsite at treasurymanagement.tompkinstrust.com is
issued to Jack Henry, and the DV one for the personal banking subsite
at secure.tompkinstrust.com is issued to nobody, just the domain name.

This is a fairly sophisticated billion dollar regional bank, so I
expect this is typical for midsized banks.

>If that expectation can easily be violated, it is a problem.

I'm afraid you're about 25 years late.

R's,
John