Security Collapse In the HTTPS Market

CowboyRobot writes: HTTPS has evolved into the de facto standard for secure Web browsing. Through the certificate-based authentication protocol, Web services and Internet users first authenticate one another ("shake hands") using a TLS/SSL certificate, encrypt Web communications end-to-end, and show a padlock in the browser to signal that a communication is secure. In recent years, HTTPS has become an essential technology to protect social, political, and economic activities online. At the same time, widely reported security incidents (such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed) have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations (notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale) have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology.

Re:So offer a cost effective replacement

There was an offered solution, and a damn good one that was highlighted here on /.
http://it.slashdot.org/story/12/07/25/1612236/father-of-ssh-says-security-is-getting-worse

SSH extension to http and some clever simplistic key management for end users. DONE.

Folks....

It's not HTTPS that's insecure, it's the current certificate authenticity chain.

Eliminate that chain, work out a public exchange and verification program (something akin to bittorrent for
gpg signed certificates from other people you trust.) and plug that in in place of the current certificate authority
model and you're set.

This does of course require you to have people you trust who have some way to verify they got the 'original'
copy of the certificate, and doesn't preclude using the equivalent of modern certificate authorities if desired.
It simply provides 3rd party verification if something appears to be up.

If you need a good example of how this might be carried out, look up 'WASTE', then imagine combining that with slashdot's rating system utilizing the old Kevin Bacon skit about 6 degrees of separation. That should provide secure peering with a layer of trust model that would dwindle the farther away from you a 'trusted individual' is positioned. It's not as 'cheap' in terms of cpu, disk space, or memory requirements as the current system, but it would be harder to exploit than the current centralized system.

Re:So offer a cost effective replacement

[CastrTroy]

And it's the wrong solution. The solution is that I shouldn't have to send my credit card number to every retailer I want to do business with. The credit card companies and banks should have set up a system long ago so that I can send money to a retailer without having to divulge my private information to a non-trusted third party. Paypal offers something which is halfway in between. I can pay people without having to send them my credit card info. Unfortunately, I have to trust PayPal. It would make much more sense for the bank to be in control of this, since they have all the information anyway, and I would hope that they know how to keep it secure.

Re:So offer a cost effective replacement

[hey!]

Yes HTTPS is flawed. Name one protocol that is not.

TELNET. Of course "flawless" means "meeting its design goals," it doesn't mean "suitable for any application."