Security and certificates

This isn't really about any kind of anti-malware program in particular, but since I can't find a better place on this forum I'll post it here.

This is about (SSL?) certificates. I'm not at all an expert in this field, please keep that in mind. Sometime ago I read something about this security issue, but I don't remember where !

I'm not sure if there is a difference between SSL certificates or any other (?) certificates that are used by many sites, for example Paypal.

Now, when you log in on Paypal's website you can by right clicking at the right place on the address bar see that the certificate is signed by Verisign. That would suggest you can trust it. But what if a certificate is signed by the Hong Kong Post Office or something more obscure ? (I seem to recall that you can expand the number of certificates organizations issuing certificates by downloading certain non-essential updates for Windows XP, which I did ...)

Aside from just being super-paranoid about certificates (and certificates may play a role in, for example, security software, but I don't know or if), what can you do to mitigate this risk ? Even aside from just checking certificates when you log in, how do you know that the certificate has not been forged ?

These seem to be sensible questions, maybe some people can provide some answers ?

 

SSL is the protocol, and a certificate provider is known as a CA. They're a "trusted third party" - meaning, if you can verify it's their signature, then the certificate would be valid and indeed indicate a secure/encrypted connection.

I'd recommend reading up on SSL and CA's. Something like Wikipedia would be an okay start:

http://en.wikipedia.org/wiki/Ssl_certificate

http://en.wikipedia.org/wiki/Certificate_Authority