13

when I visit "https://www.ebay.co.uk", I can see a trust seal at the bottom right of the page that says the certificate is issued by DigiCert. It is a clickable trust seal, so when I click on it, it takes me to the DigiCert website.

enter image description here

My confusion is due to the certificate that ebay website send to my browser. When I click on the padlock in Chrome and check the certificate, it shows me this:

enter image description here

Intermediate and root CA for the ebay website is from Sectigo. To the best of my understanding Sectigo and DigiCert are two different CAs business. What am I missing here?

ManiAm
  • 241
  • 2
  • 5

1 Answers1

38

eBay.com and eBay.co.uk use two different CA's:

ebay.com CA ebay.co.uk CA

Their HTML template probably doesn't take this into account, so it shows the same seal for everyone.

Such seals is generally meaningless anyway. As you have shown in your question, they can be freely included in any page, without any checks. They provide no security, and any MiTM can freely replace them anyway. And as you have shown - noone bothers enough about them to make sure they match.

Why does eBay use two different CA's? Who knows. There's no technical reason against it, so if it makes sense to their operations, it's entirely valid.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • 2
    who asked *Why does eBay use two different CA's?* :D – NotStanding with GoGotaHome Jan 10 '22 at 07:02
  • 1
    On "Why does eBay use two different CA's? Who knows.": Why does eBay use multiple different host names? Who knows. – U. Windl Jan 10 '22 at 12:59
  • @U.Windl that seems more obvious: it’s a way to do localisation, no? – Tim Jan 10 '22 at 22:43
  • https://ocsrest.ebay.de https://pulsar.ebay.de https://www.ebay.de https://www.ebay.com https://srv.de.ebayrtm.com https://ir.ebaystatic.com https://secureir.ebaystatic.com https://cas.avalon.perfdrive.com https://b.ns1p.net ... possible each having a different certificate; a security nightmare! – U. Windl Jan 10 '22 at 23:06
  • ‘There's no technical reason against it’ — what about compromised CAs, e.g. an adversary obtaining a certificate from a CA with weak identity verification policies? (Remember the Comodo fiasco?) I would be wary if I noticed my bank suddenly switching to Let’s Encrypt, for example (which basically only verifies ownership of the domain). Committing to a specific CA creates a security signal (‘if you see some other purported authority signing on someone’s claim to be me, beware’); reneging on that promise weakens it. – user3840170 Jan 11 '22 at 12:32
  • @user3840170 That's *not* technical reasons. That's politics. Yes, it may affect security, but technically your bank would be just as fine with Let's Encrypt. – vidarlo Jan 11 '22 at 14:57