Re: Re: [Off] Cheap SSL certificates?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Lynch wrote:
And in the real world, where browsers just blindly chase down CAs and
the basic Security Model is "you pay us $200, and we make sure you are who you say you are, and then we trust you" what real difference
 does it make?

Users can remove untrustworthy CA certs from their browsers.

There are certainly a zillion sites *I* do not trust that have high-priced CA-certified SSL certs...

And Joe Sixpack and Betty Buick just look for the little lock symbol to be closed, and guage trustworthiness only on there being no popups
warning them it's not secure, and that the site "looks" professional,
and a "brand-name" on the logo/domain.

That's why there are organizations like WebTrust - to perform audits as
to how personal data is used.

So, why exactly would I pay for a $200 background check on myself, when I already trust myself? Why not pay $70 for an SSL with no background check on myself, so long as it makes Joe Sixpack and Betty
 Buick happy, if it's got 99% ubiquity?

As I said above, users may delete the CA cert from their browser.  This
means that the CA you pay $70 to would not be trusted - period.  One
day, many users will know the fact that the certificate should be
checked before sensitive information is sent through the SSL connection.

I'm often curious why exactly people think the SSL / CA system is so great, when it seems a whole lot like the Emporer's Clothes to me, or
some kind of weird Ponzi scheme to line the pockets of a handful of
companies, with very very very little added-value to the end user.

It appears that you never applied for a certificate before, or applied
for certs from CAs that don't verify information.  Identification is
extremerly important when it comes to knowing whether or not to trust
the given public key.

I am not trying to humiliate you, but you may want to study about
cryptography and its use for the internet.  I operate my own
web/e-mail server (and have been doing so for some time), and so, I know
how important it is to make sure a trustworthy CA signs a public key.

Cheers,

- KJM

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux