22 Million SSL Certificates In Use Are Invalid

darthcamaro writes "While SSL certs are widely used on the Internet today, a new study from Qualys, set to be officially released at Black Hat in July, is going to show some shocking statistics. Among the findings in the study is that only 3% of SSL certs in use were actually properly configured. Quoting: '"So we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside," Ivan Ristic, director of engineering at Qualys, said.'"

PGP / GPG / AES Instead of SSL?

[greenlead]

How long until we get a server/browser plugin set to allow the use of AES (or a similar simple, common encryption scheme)? Users would trade public keys with the server when registering for a website. The website then sends any sensitive files through a encryption phase. The file is downloaded to a temp folder, unencrypted to HTML, and displayed on the browser window. Surely this would be a better solution than the needlessly complex SSL "solution"!

SSL is a scam; let's replace it with something that works.

I am angrier than usual because I had to spend hours struggling to configure a VMWare server through a browser interface that refused to work with modern web browsers, all because of nosy browsers which refused to accept its self-signed cert. *arrggg!!!!*