[dkokelley]

> Why would I want to pay if there is alternatives offering the same product at no cost?

Because free isn't necessarily a sustainable model given the current CA environment. Any server can generate its own certificate, but this does little to verify the identity of the server you are connecting to.

My point is that CA's provide a service that can't reliably be accomplished for free (yet - the CA model has many of its own issues). If you can find one for free, I would be lead to ask "what are their motives for providing this service to me?"

[dangrossman]

It would be nice to have the option of encryption without identity validation. Most people interact with most sites without it today -- over HTTP. The only reason we can't encrypt all those connections is the big scary error message browsers throw up when you do so without paying a CA for their signature.

[kbenson]

It has nothing to do with paying money, it has to do with reputation. The fact the most the companies (CAs) that are willing to put their reputation on the line for you will do a bit of checking to make sure you're who you say you are, and that this process incurs some overhead, is a byproduct.

Let's put it another way, would you really trust that you're talking to https://www.amazon.com if it's trivial to get a cert for www.amazon.com[1] that's signed by a CA that the browsers include and trust[2]? How is it any different if the browser doesn't tell you the current cert is of dubious reputation?

[1]: It is, I could generate one right now using openssl.

[2]: It's not, that's why the system works.

[XorNot]

Web-of-trust schemes are effective. The usual way we find out about stuff like this happening is word-of-mouth. Infrastructure for the process would automate it - after all the only thing you need is a way to say "this is what the certificate's hash should be".

[kbenson]

I'm not asserting that there's no other way to do it, just that getting rid of the popup that says the site is untrusted is not a solution, nor even a step in the right direction, IMHO.

[JoshTriplett]

That wouldn't solve the problem in the posted article at all, though. The ad-inserting proxy could then just un-encrypt and re-encrypt.

[jiggy2011]

The point of certs is to stop an attacker just sitting in the middle and handing out their own cert and you not being able to tell the difference.

[nwh]

Their motivation is to sell high assurance certificates to people who have been enticed by the free plans.

It costs them nothing more than a few seconds of server time to produce a signed certificat for me.