Copyright © 2009 What The Hell? Security
What does SSL stand for? H-Y-P-N-O-T-I-S-M.
No, really. Give me the first answer that comes to your mind. Don’t filter it. Why do you purchase SSL certificates for your site?
You answered something having to do with security, right? You are so not right. What you’re doing is buying your way out of the penalty-boxes-from-hell that browsers present when they encounter a certificate signed by an unrecognized CA. The system is rigged, and in my book that’s a bribe.
Look, I’m not trying to be cynical, or cute, or anything of the sort. I’m being brutally objective. SSL purports to do only two things:
- unilaterally or mutually authenticate the application endpoints
- establish an encrypted and integral channel
If that sounds like security stuff, that’s because it is. No argument there. But that’s not what I’m talking about. Let’s examine these separately.
1. Unilaterally or mutually authenticate the application endpoints. First, let’s agree that nobody in their right mind requires mutual authentication when one endpoint is a browser. It’s two orders of magnitude too high of a bar. (Until fairly recently Amazon.com allowed one-character passwords. Well, actually it allowed zero, only that would lock you out of your account.)
But there is value in authenticating the server end, right? Wrong. If that were true people would be able to distinguish between legitimate and fraudulent sites. If that were true, we wouldn’t have phishing. If that were true, we wouldn’t need EV-SSL. If that were true, we’d all be mathematicians.
Summing it up, excepting for the minor net impact of EV-SSL, there’s no business value in #1. Self-signed server certificates would suffice just as well — if we could keep browsers from having cows over them.
2. Establish an encrypted and integral channel. SSL does this perfectly well even in the case of self-signed certificates. Despite what anybody might tell you, you’re not paying for mathematical privilege.
Case closed. Except you might be wondering why I said hypnotism. It’s like this: We bought into the CA model hugely in 1995, and the only thought we’ve given to it since is how to make more money off it (if you’re a CA) or how much cheaper it is to buy Godaddy’s certs instead of VeriSign’s (if you operate a website).
When you do something you’d rather not do for fifteen months running you become numb to it. When you do it for fifteen years running you become numb to the numbness. So you keep writing checks. And the truth is, even if we weren’t numb over this, it’s probably easier just to keep writing checks than it is to buck the system.
P.S. You might have the impression that I don’t like SSL, or CAs, or the rigid PKI model this stuff is built on. Respectively: (1) I do; (2) I don’t, but only because they’re unimaginative and uninventive, and in VeriSign’s case they’re arrogant to a fault; (3) It’s ok.
What I don’t like is how we’re using SSL in the browser. There are killer apps out there waiting to happen, like certified webforms. Of which, incidentally, communicating the site owner is among their least interesting features.