[phaet0n]

Despite all the hubbub about spying by the NSA and Huawei, an Israeli company would be the absolute last* one that I would trust with my company's security.

Alas, SSL, along with the DNS system, is just a massive internet racket.

(*) Of course I exaggerate, but only slightly.

[somesay]

Just another guy who talks about SSL without knowing the basics. I don't know what annoys me more: Someone how completely ignores cryptology and its security features or these guys who have such a dangerously low knowledge that they spread bullshit the whole day.

In fact, you don't have to trust StartSSL at all. They securely give you a valid cert while you don't have to reveal your private key at any time. Your private key is either generated manually on your sever by yourself or within the browser, on client side.

The important points are: StartSSL is trusted by all modern browsers and systems and they are cheap. There is nothing more to care about. In fact, _any_ trusted CA could be attacked and generate certs for man-in-the-middle attacks.

So, stop your stupid prejudice here. Actually, a CA from the Netherlands got known for being corrupted some years ago.

[phaet0n]

You are absolutely right that I didn't have to reveal my "prejudice" here.

For that I apologize.

However, you are mistaken that I don't have to trust StartSSL, or any CA at all. In requesting a certificate, I am siginalling that I require a method by which an unknown party can reasonably verify that they are indeed dealing with me. If I am already well known, and a target of attack, it doesn't matter which CA I deal with, every one is potential source of vulnerability. However, if I am not broadly known, and seeking out deals on certificates, and not investing in an EV certificate (why just get a padlock, get the snazzy green bar!), what exactly is the purpose of me investing in a certificate? Well, you're paying for your customers to have faith that whatever faith they have in you is not misplaced, or more precisely no bad guys will get their credit card number which they are sending to you, along with their personal details.

This whole idea behind SSL, https, and ultimately DNS is a broken. And yes, my response was naive enough to be read naively. For that I'm sorry. But this particular post is probably not the place to discuss these shortcomings...

[somesay]

As you said, the hierarchical system is somehow broken. You are just paying to get a cert that is trusted by the browser and therefore looks fine for the user. Also you get some insurance thing and maybe a nice button to place in your web shop. That's all. The main point is using some encryption without throwing a warning message and gain some level of security.

Also, the "potential source of vulnerability" has nothing to do with how big you are.

SSL is as save as the CA list used by the browser is. It really doesn't matter which CA you actually choose then.

[phaet0n]

> SSL is as save as the CA list used by the browser is. It really doesn't matter which CA you actually choose then.

Which is why a _comprehensive_ history of when, how, and why CA root certs were added to various browsers, and the politicking behind it, would be quite illuminating.

Recall it was only around 2000 when the US relaxed export restrictions somewhat on cryptographic software. [1] So given that sensitive fact, the policy, and architecture of systems such as browser security should be questioned, especially because a select few are making essentially free money selling green address bars.

[1] http://en.wikipedia.org/wiki/Key_size#Symmetric_algorithm_ke...