

Feel secure with SSL? Think again - javinpaul
http://blog.bintray.com/2014/08/04/feel-secure-with-ssl-think-again/

======
zokier
Linkbaity title, disingenuous article conflating bad use of tools with bad
tools while shamelessly advocating their own solution as silver bullet. The
article has basically nothing to do with SSL.

------
prospero238
This is silly. Of course you can download malicious software using SSL.

It's like saying "Feel secure using SSL? Think again, a burglar can still
break into your home!"

The article's point about signed artifacts may be valid, but has nothing to do
with the click-baiting, FUD headline.

~~~
jbaruch_s
Look at twitter. Everybody can't be happier because Maven Central is served
over SSL now. That's good. But if you can't verify what they serve you over
SSL it worth nothing. I glad you understand that. Most of the people seem not
to. Once you understand that, how can you verify the content? Bintray helps
with that, Maven Central makes it hard.

------
jvdh
TLDR version: SSL/TLS does not verify content. Maven central allows users to
upload content, so you can obviously not link a certificate with that content.

Maven Central has users sign content with PGP keys. PGP keys are also a poor
means of verifying content. Especially if you have no other channel to verify
a PGP key.

These are all known things, and have been for quite a while. Apparently it is
news that users of Maven Central trust this this to give them a false sense of
security.

