[timg]

"""I don't see what's terrible about browser makers trusting certain authorities"""

Because the authorities trust anyone who pays them 20 bucks. THEN, the users trust any site where the address bar turns yellow. Do you see the break in the chain here?

[lupin_sansei]

You're changing your argument, Your initial point was that encrypted HTTP should be free. It is.

Then you switched to say that you can't really trust Authorities. Maybe so, but the current setup seems better to me than the alternatives.

[timg]

Read Schneier's take on it that I linked to. He agrees that this false sense of positive identification can be WORSE than none at all. And that has to do with the warnings that the browser gives, not the matching up of the domain names.

Second, my argument has always been that the browser should not harass the user of a site that has not taken part in this PHONY identification procedure.

Heck, even google adsense has seen through this scam and not bothered to pay the fee.

Edit: To clarify, most users equivocate signed SSL certificate == trustable site. That is WRONG. Verisign does not vigorously establish the non-evilness of your site.

Example: http://blog.washingtonpost.com/securityfix/2006/02/the_new_face_of_phishing_1.html