Extended validation certificates
Posted Nov 3, 2006 2:34 UTC (Fri) by pimlott
In reply to: Extended validation certificates
Parent article: Extended validation certificates
The solution for bank sites, at least, is to print the certificate fingerprint on bank statements and ATM cards.
That's absurd, as is the claim in the article that SSL is "meaningless for anything other than an indication that the traffic is encrypted". All the bank has to do is give me an https URL, and I type it in, and I can have quite high confidence I'm talking to my bank. It's not airtight: I could mis-type--though of course I only need to type it once, then bookmark it; and there have been incidents of registrars giving certs to non-owners of domains. But it's practical and I trust it with my finances.
Which is not to say that SSL as deployed today is a resounding success--far from it. But suggesting that the padlock is "meaningless" or that users should be checking fingerprints by eye is not productive. The scheme discussed in the article, on the other hand, may be. Let's take the time to look at it and find out.
to post comments)