[illumin8]

Although I agree that having free SSL certificates is nice, I question whether it's actually a viable way to certify the authenticity of a site. Seriously, if you make it free, spammers will overrun it. Why should we trust free SSL certs? I think having a cost provides a certain barrier to entry that is good overall.

[jackowayed]

We don't need SSL certificates for authentication. I know that when I go to news.ycombinator.com, I'm getting Hacker News.

We need SSL certificates for encryption. With the certificate you get a private key that is used for secure communication between your browser and HN (both ways).

If it didn't cause every browser to show a big, scary, your-computer-will-instantly-explode-and-your-children's-social-security-numbers-will-be-stolen-if-you-continue, using self-signed certificates (ie. certificates that anyone can just generate) wouldn't be that big of a deal. It could open you up to a man-in-the-middle attack, but it's still way better than sending everything in the clear.

[MichaelGG]

> I know that when I go to news.ycombinator.com, I'm getting Hacker News.

How do you know that? That's the whole point of SSL - knowing that you've traded private keys with the right party.

SSL for "encryption only" only works to defend against attackers that can listen to your network, but cannot write to it. So, sure, it defends against some passive collection system, and perhaps against some tools that are designed to just listen.

But, if browsers stopped displaying warnings, so that using a "bad" certificate worked just fine, then I'd bet the tools would just switch to allow cert injection and we'd all be worse off.

[SomeCallMeTim]

There was a story I read a while back about a support ticket filed with Mozilla for FireFox complaining about all of these "security warnings" that would pop up at every HTTPS site the user visited.

She was apparently someone who should have known better, but instead was willing to believe that FireFox was just warning her spuriously about valid HTTPS certs -- yes, someone had hacked her computer, and was collecting every bank, credit card, and online shopping password as she fell for an MITM attack over and over.

[martey]

I believe that this is the bug: https://bugzilla.mozilla.org/show_bug.cgi?id=460374

[runningdogx]

In that case, Mallory was a fool. Mallory should have installed the MITM cert in the browser's certificate store, to prevent warnings. How many people routinely audit their browser's SSL cert list?

[gergles]

No, the point of SSL is encryption. SSH seems to handle key exchange just fine.

(Hint: https should have been implemented the same way. CAs are fundamentally broken.)

[kgo]

No, SSH does not. Have you ever actually verified a host fingerprint? Of course not, no one does.

That's the way it's supposed to work. You know the first time you logon to a server and it asks if you trust it? You're supposed to call up the server admin and get them to read off the fingerprint, or have them email it to you, or get it from some other out-of-band channel.

And no-one, nowhere actually verifies host fingerprints. Even security conscious people. And what do people do when they get that warning about a modified fingerprint? Just delete the entry from authorized_hosts and re-connect.

So ssh actually does a really shitty job handling key exchange.

Anyway, the closest thing to a real alternative to https and CAs is monkeysphere (OpenPGP WoT for servers), but no-one uses that.

[pyre]

If I got an error about a modified footprint I wouldn't "just delete the entry" and re-connect... unless I know why it's complaining. If there's a reasonable explanation for why the keys are different then I might do that.

While 'security conscious people' might not verify the fingerprint out-of-band when adding it the first time, I'm sure most of them wouldn't just remove the authorized_hosts entry...

[gaius]

Yes, I often see this and it's almost always that a VIP has moved physical hosts for whatever reason (e.g. planned maintenance on the original box). Occasionally it's that someone's re-JumpStart'd the box. That's sufficient to create a false sense of security, if it ever happened "for real" I would likely dismiss it.

[riffraff]

but that is the case in which yoiu _already have_ the footprint. Parent^2 is talking about the first connection, which is when you validate the fingerprint the first time.

[bmcc]

Several ssh implementations also support using certificates as hostkeys. Of course the ssh client will still need to be configured to trust the issuer but it can help with the 'first-connection-hostkey-fingerprint-verification' problem. In my experience most users will never verify the fingerprint.

[apotheon]

How does some corporation that will disclaim liability at the first sign of a light breeze telling you a site is "authentic" trump your own personal judgment? CAs are scams.

Use something like Perspectives instead of CAs:

http://www.techrepublic.com/blog/security/perspectives-bette...

[dmm]

StartSSL requires you to respond to an email sent to the address listed in the domain registration. That at least shows you have control of the domain. It also has certificates with greater levels of verification.

[dspeyer]

Being able to pay isn't a very good barrier. Being broke doesn't mean having no meaningful content, and most attackers who can make serious MitM attacks can pay. CAs are supposed to have real barriers (and I think most of them do).

In this case, though, we don't need a CA. PG could publish the key in an essay and we'd just carry it through manually.

[jimrandomh]

The point of collecting payment for certificates is not that attackers can't afford it, but that it enables the CA to do some cursory verification, and creates a trail of evidence if the certificate is used for a scam later.