A couple days ago I posted a reaction to the “SSL is Broken” topic floating around. Via Securosis I was pointed to a much better article directly from the mouth of an expert: SSL And The Future Of Authenticity by Moxie Marlinspike.
Rather than go all sensational and say something like, “SSL is broken,” Moxie digs much deeper and smarter by tackling the specific problems with SSL, namely authenticity and “trust agility.”
I look forward to Moxie’s future posts on proposed solutions. I agree with his sentiments, and I firmly agree with his reservations about tossing away CAs for a kneejerk replacement that may not be better and my in fact be worse!
This illustrates part of my point in my post: it is hard to patch an ultimately human problem. And I still really think that trust in a human-backed entity is inherently going to be a problem unless they have the ethics of the Supreme Court or something And globally, that will never be possible. This is why I’ll sympathize with the idea there are issues with SSL, but it might just be “good enough.”
[struck a really offtopic rant about complaining, thinking several plays ahead, and ultimately “just enough security” being ok, i.e. there *are* shades of grey…none of which was ever worth reading and so unformulated…]
To briefly put on my tinfoil hat, it might be worthwhile to say something like, “Let’s just get perfect, universal encryption for everything.” But never, ever, ever underestimate the desire for governments (and on smaller scales, corporate entities) to have the ability to intercept and inspect. Ever. China and other countries may make the news with their heavy-handedness, but don’t think for a moment that govs like the US don’t do many of the same things, only in more secrecy.