How is SSL hopelessly broken? Let us count the ways

[jamescv7]

Analysis Every year or so, a crisis or three exposes deep fractures in the system that's supposed to serve as the internet's foundation of trust. In 2008, it was the devastating weakness in SSL, or secure sockets layer, certificates issued by a subsidiary of VeriSign. The following year, it was the minting of a PayPal credential that continued to fool Internet Explorer, Chrome and Safari browsers more than two months after the underlying weakness was exposed.

And in 2010, it was the mystery of a root certificate included in Mac OS X and Mozilla software that went unsolved for four days until RSA Security finally acknowledged it fathered the orphan credential.

Read More

 

[bogdan]

A really good article. Certification Authorities (CA) are mostly interested in making a profit. Melih admits it:

We as a company don't believe in DV certificates, although we do provide them because of the commercial pressure.

OK, maybe we can say that "SSL is broken" because it relies on certificates emitted by a "trusted third party" (CA) - and apparently we can't trust them. There are too many CA-s around the Globe and we have to trust all of them.