SSL Still Mostly Misunderstood, Even By the Pros

An anonymous reader writes "People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know what SSL is and what it does. What is surprising and downright scary is that most IT professionals don't understand SSL, and many consider it to be the be-all, end-all of security in their organization. With all the tools out there to manipulate SSL connections, and the browser vendors unable to settle on a single method of showing if a site is secured by SSL or not, is it any wonder that no one gets it?"

Re:SSL is trying to do too much.

[ObsessiveMathsFreak]

Firefox warnings are geting worse in each version and, for the user perspective, it seems that encrypting with a non official certificate is much worse than not encrypting at all. .... I suspect there is money involved in getting into that list though.

The only sane reason I can come up with for the continuing insanity of the Firefox self signed cert warnings is direct kickbacks to the Mozilla foundation from Verisign and the like. I have little doubt that at the very least, "consultation" with Verisign and the like lead to that ridiculous yellow policeman and his preference for plaintext or paid certificates.

Self signed certs serve a purpose. They offer an encrypted connection, which is a solid and concrete improvement over a plain text transmission. Sure they are not signed by proper "authorities". Sure, there is the risk of a man in the middle attack. But you tell me which is more likely. Your encrypted login being intercepted by a man in the middle, or your unencrypted login being intercepted by a traffic sniffer?

The current hysterical warning Firefox throws up about self signed certs, which force users to run a gauntlet before they can use an encrypted channel are the sign of developers too concerned with internet commerce and cold war game theory to see the practical benefit of mass, cheap, encryption in this day and age. But given their tone and severe implementation, I find it difficult to believe that an open source development teams came to that decision on their own.

Firefox has single handedly set the secure web back five years. Instead of allowing the web and technology to evolve beyond its specifications, they stuck rigidly to RFC outlines made thirty years ago, and we are all suffering because of it.