Can We Fix SSL Certification?

Em Adespoton writes "At DEFCON this year, Moxie Marlinspike gave an excellent presentation showing how broken the current SSL certification model is and proposing a replacement. Naked Security adds to the issue, asking: does it even matter if you can trust your certificate notaries?"

Distribute Certificates via DNS (using DNSSEC)?

[SmilingBoy]

Wouldn't it be possible to verify the certificates via the DNS? Once that is secured with DNSSEC, this should be a very good solution. Or am I missing something?

Re:Distribute Certificates via DNS (using DNSSEC)?

[vlm]

Wouldn't it be possible to verify the certificates via the DNS? Once that is secured with DNSSEC, this should be a very good solution. Or am I missing something?

That DNSSEC is even worse of a single point of failure than SSL. Same type/class of problem, just worse.

If you thought the SSL providers were shady, you'll think them heroic princes of justice once you start dealing with DNS registrars.

Why the fuck should i need an authority ?

[unity100]

all i need is a key to encrypt my communication with. if i can do it with an openssl command on some local computer, none should need to pay anything to 3rd parties to use ssl certs on their servers.

no - i dont need anyone to 'verify' any domain. i dont buy from any sites i dont know and trust, and therefore third party intermediaries cashing in by selling me trust is totally unnecessary. not that it works at all though - even a megacorporation can swindle you through numerous means.

Re:No

[amorsen]

You can only trust what you can see with your own eyes; trust does not inherit, plain and simple. Any system that relies on inherited trust is broken before it starts.

Our whole society is reliant on inherited trust. Feel free to try to escape from it.