

How is SSL hopelessly broken? Let us count the ways (April 2011) - gmac
http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/

======
gmac
I was moderately appalled to discover just now that Referer: headers are
included in cross-domain HTTPS requests. Bang goes using a CDN to lighten the
load on the secure areas of my server.

(Mozilla fixed the 'bug' that prevented this behaviour a long while ago:
<https://bugzilla.mozilla.org/show_bug.cgi?id=141641>)

------
MostAwesomeDude
So, um. These all sound like issues in the way we construct our web of trust,
and not in the actual cryptography underlying SSL/TLS. I'm not seeing any
alternatives or fixes proposed, just lots of criticism with no actual
direction.

"Encrypt everything," is what this researcher is saying; isn't the entire
point of SSL/TLS to encrypt everything? Am I missing something here?

