Copyright © 2009 What The Hell? Security
What do you call a ubiquitous security technology that has only ever delivered on half its promise? SSL.
Don’t get me wrong. SSL has proven pretty decent at delivering transport security. For B2B applications requiring mutual authentication, that is. (Ironically, in many cases those applications use manually-exchanged self-signed certificates, but that’s a topic for a different day.)
In the consumer context, many say that SSL has done the World Wide Web a world of good. I vehemently disagree. In fifteen years, it’s never scored higher than 50% on its competency test.
Sure, consumers also benefit from a protected transport. So I’ll round up and stipulate it scores 5 out of 5. It’s the other 5 that are the problem. When it comes to helping consumers identify legitimate sites, I score it 0 out of 5.
Why zero? Because I also rounded up. It’s really more like -1. It’s done harm not good. For one, no consumer can make sense of a field of one million ostensibly legitimate sites, which is how many unexpired SSL certificates are out there today. For two, most of those certificates were issued with the same level of diligence that goes into vetting a domain name buyer: None. For three, consumers don’t know how to spell SSL, nor do they want to, nor should they have to.
But apparently CAs expect consumers to. Unless they don’t, in which case exposing consumers to SSL would only confuse them, which indeed it has.
Either way consumers have been going it alone for 15 years. And why are we surprised that there is so much fraud? Me, I’m surprised there’s so little.
Filed under: certificate authorities, fraud, security, ssl
