|
You are absolutely right that I didn't have to reveal my "prejudice" here. For that I apologize. However, you are mistaken that I don't have to trust StartSSL, or any CA
at all. In requesting a certificate, I am siginalling that I require
a method by which an unknown party can reasonably verify that they are
indeed dealing with me. If I am already well known, and a target of
attack, it doesn't matter which CA I deal with, every one is potential
source of vulnerability. However, if I am not broadly known, and
seeking out deals on certificates, and not investing in
an EV certificate (why just get a padlock, get the snazzy green bar!), what exactly is the purpose of me investing in a
certificate? Well, you're paying for your customers to have faith
that whatever faith they have in you is not misplaced, or more precisely
no bad guys will get their credit card number which they are sending to
you, along with their personal details. This whole idea behind SSL, https, and ultimately DNS is a broken. And
yes, my response was naive enough to be read naively. For that I'm
sorry. But this particular post is probably not the place to discuss
these shortcomings... |
Also, the "potential source of vulnerability" has nothing to do with how big you are.
SSL is as save as the CA list used by the browser is. It really doesn't matter which CA you actually choose then.