It’s Time To Abolish SSL Certificate Authorities

Yet another case this week where unsuspecting users were compromised because a certificate authority that they had never heard of screwed up. In case you hadn’t heard, they issued a certificate for (Google!) to somebody other than Google, and apparently that certificate was in fact used to compromise users in Iran.

This is not exactly the first time a high-profile case like this happens, and who knows how many not-so-high profile cases happen that we never hear about.

You might think that these kinds of things just happen, and there’s little anybody can do about it. Well, no, and it is scandalous that this industry of ours hasn’t fixed the problem yet. The problem is that we rely on certificate authorities when there is no earthly reason that we should. And that all the browser manufacturers hard-code that reliance into their browsers and don’t offer any better options.

To quote Bruce Schneier, about as much of an authority on security as anybody:

Digital certificates provide no actual security for electronic commerce; it’s a complete sham.

Repeat after me: Sham. Why again do we have them? So somebody can easily impersonate Google to Iranian internet users? Sometimes you’ve got to be wondering …


Comments are closed.