

How is SSL hopelessly broken? Let us count the ways - sasvari
http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/print.html

======
willvarfar
The biggest gaping hole ever is that most of the CAs can be pressured by most
governments (and perhaps criminal enterprises) into giving out certificates if
push came to shove. Pretty much every government has at least one root cert in
their control, with which they can MITM each and every site ever.

I don't think this aspect really gets the attention it deserves, as all the
technical articles remain so technical. Its like not seeing the wood for the
trees.

My thought is to tie CAs to TLDs. If you want a certificate for a .uk domain,
go to one of a select band of CAs for that TLD. And don't get upset when the
British government ever does blantantly go snoop. But at least the Russians
would have to hack it to do likewise.

~~~
JoachimSchipper
You identify a real problem, but I'm not sold on your solution. There are lots
of British companies on .com; on the other hand, do you really believe the US
government wouldn't be able to get certificates for .uk (or, for that matter,
.ir)? If nothing else, consider <http://www.win.tue.nl/hashclash/rogue-ca/> (a
rogue CA, based on MD5 collisions) and the declining security of SHA-1...

Also, you have to be pretty good at security before using rogue CAs becomes
worthwhile. Most hosts are not very secure (even if you're not using
Flash/Adobe Reader, are you _sure_ your browser has no issues?) and people
carry convenient location and listening devices, commonly known as "mobile
phones", with them.

------
soult
I would just like to point out that Moxie Marlinspike is a hypocrite. Just two
years ago he cried foul when an ISP revoked his SSL certificate because he
provided falsified (whois) information [1][2], and now he cries foul because
ISPs don't do enough to protect against falsified information.

1:
[http://www.theregister.co.uk/2010/04/05/googlesharing_cert_r...](http://www.theregister.co.uk/2010/04/05/googlesharing_cert_revoked/)
2: [http://www.gandibar.net/post/2010/04/06/TheRegistercouk-
comm...](http://www.gandibar.net/post/2010/04/06/TheRegistercouk-comments-on-
gandi-s-removal-of-SSL-certificate-for-googlesharingnet)

