Covered in Scorpions -
May. 29th, 2012
The junk undermining SSL/https makes me angry. For people who don't make websites, here is a quick explanation; https means your connection with a website is both encrypted and verified to be the real site. The encryption is a good and desirable thing. The verification is achieved through third party "root certifiers", and costs an unjust amount of money every month (given that the act of weakly verifying that you are who you claim is something done once, and renewing is something done without human intervention, a cost of say $50 once and maybe $5 per year would be reasonable). There exist organizations that verify who you are better, and issue SSL certificates at no cost, but they're not in the "approved list" so browsers won't recognize those certificates.
Now the thing that makes this annoying is that when the browser doesn't recognize a certificate's verifier, you get giant alert boxes swearing that the offered certificate is made of toxic slime and will eat your face off given the chance, making it seem like the website in question is less secure than a website that doesn't even try to be secure (ie. you don't get any alerts about face-eating when you go to any site without https). So while you technically can just have the encryption without the verification, using a self-signed certificate, no users would visit your site because their browser makes it sound like a terrible scary disaster waiting to happen.
Now to some extent this does make sense - it's plausible that, with an unverified certificate, someone can intercept your conversation with a server by pretending to be the server, to you, and pretending to be you, to the server, and thus steal all the data. This is known as a man in the middle attack. It's prevented by root certificate verification. The prevalence of this kind of attack is approximately zero attacks in every thousand, so the mandatory verifying is very helpful for preventing those zero attacks.
Without encryption at all, you can just passively 'sniff' traffic to steal passwords - this is maybe five attacks in every thousand, which could be prevented with encryption, which would be a lot more prevalent if you didn't have to do the damn verifying. So that's five attacks in every thousand that aren't prevented because of the additional security price hurdle that prevents websites from bothering with encryption. This is why I am annoyed by it.
Most of the other 995 out of a thousand attacks involve installing trojans on people's computers and stealing their passwords right from their keyboard or browser. None of the security measures discussed help with that. So basically, SSL certificates ask that you pay money every month to prevent zero attacks, to make your website more secure, while still being vulnerable to the vast majority of attacks. SSL is the internet's TSA.