Laurie: Improving SSL certificate security

Posted Apr 3, 2011 17:58 UTC (Sun) by jthill (subscriber, #56558)
In reply to: Laurie: Improving SSL certificate security by Kit
Parent article: Laurie: Improving SSL certificate security

I wish people would distinguish certificates from keys. A CA signing a key doesn't make the key valid. Trusting a CA is tantamount to surrendering to a MITM attack in advance -- in every real sense, a CA _is_ a MITM.

If your partner's system and your system are uncompromised (i.e. the attacker is still "in the middle"), a valid key makes the connection absolutely secure. Google's effort is an attempt to make it easier to be ~mostly sure~ a key is valid, and I think it's a good one, but I also think that the real problem is going to be getting people to verify keyprints at all -- the entire CA-infrastructure tribe eats by keeping people ignorant and verification inconvenient, so you can expect any effort like Google's to be met with a FUD storm.