[somesay]

As you said, the hierarchical system is somehow broken. You are just paying to get a cert that is trusted by the browser and therefore looks fine for the user. Also you get some insurance thing and maybe a nice button to place in your web shop. That's all. The main point is using some encryption without throwing a warning message and gain some level of security.

Also, the "potential source of vulnerability" has nothing to do with how big you are.

SSL is as save as the CA list used by the browser is. It really doesn't matter which CA you actually choose then.

[phaet0n]

> SSL is as save as the CA list used by the browser is. It really doesn't matter which CA you actually choose then.

Which is why a _comprehensive_ history of when, how, and why CA root certs were added to various browsers, and the politicking behind it, would be quite illuminating.

Recall it was only around 2000 when the US relaxed export restrictions somewhat on cryptographic software. [1] So given that sensitive fact, the policy, and architecture of systems such as browser security should be questioned, especially because a select few are making essentially free money selling green address bars.

[1] http://en.wikipedia.org/wiki/Key_size#Symmetric_algorithm_ke...