[talmai]

At first I thought "The title is bait.... what a waste of time, etc...". Clearly the problem isn't HTTPS, it is the current CA structure. I then went on Chris' site (http://noncombatant.org/) and there he summarizes it well: "The problems are social and economic more than technical. The technical problems are in usability, not in cryptography. In general, security people should start learning about usability."

I still argue that the is no 'usability' problem, but rather 'ignorance'. The fact that https has been hailed as 'secure' to the user (who has no formal understanding of what 'secure' is) is what has led up to the problem he is venting about...

[alanh]

I’m not sure that usable security is possible. In general, it’s the pattern that security requires less than ideal user experiences. For example, being emailed your password when you forget it would be “nicer” than getting a password-reset link, but requires breach of server-side best practice; not having to use a password at all would of course be the very easiest and least secure “solution” for authentication; the most secure measures require two-factor authentication and are necessarily the most annoying.

The observation of this pattern is perhaps obvious, but important.