“A decade ago, I observed that commercial certificate
authorities protect you from anyone from whom they are unwilling to
take money. That turns out to be wrong; they don’t even do
that.“SSL certificates are the primary mechanism for ensuring that
secure web sites — those displaying that reassuring “padlock” icon
in the address bar — really are who they purport to be. In order
for your browser to display the padlock icon, a web site must first
present a “certificate”, digitally signed by a trusted “root”
authority, that attests to its identity and encryption keys.“Unfortunately, through a confluence of sloppy design, naked
commercial maneuvering, and bad user interfaces, today’s web
browsers have evolved to accept certificates issued by a
surprisingly large number of root authorities, from tiny, obscure
businesses to various national governments. And a certificate from
any one of them is usually sufficient to bless any web connection
as being “secure”.”
The Spy in the Middle: Are SSL certificates even more broken than we thought?
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis