

Ask HN: Is the SSL/Certificate Authority business a scam? - olalonde

A lot of websites that could otherwise use SSL encryption don't because web browsers issue scary warnings when a SSL certificated is not signed by a trusted Certificate Authority. SSL certificates can be expensive and not every website owner is willing to pay for something a lot of users won't even notice.<p>Don't get me wrong: I understand the use of Certificate Authorities for establishing trust relationships. However, I believe that this mechanism should be an additional layer on top of SSL (like it should be). Sometimes, simple encryption is good enough to prevent passive packet sniffing.<p>What do you think: is the SSL business a scam ?
======
storborg
SSL is completely and utterly useless _without_ CAs. If there's no way to
verify and trust that a given certificate belongs to the website it is being
used on, any would-be-man-in-the-middle can just grab a random certificate and
use it to completely eliminate all of the security that SSL provides.

~~~
nailer
Sure, but CAs are useless unless they actually verify the identity of the
people they're giving certificates to.

Verisign is the largest CA in the world and gave a certificate to a guy asking
for a Microsoft certificate, without ever challenging him to prove his
identity.

Seeing as a the signature in a digital certificate is legally binding in most
countries, there's no reason for Verisign to not be prosecuted for signing
something saying they verify or trust the identity of the random gent when
it's quite clear they did no verification and have nothing to base their trust
upon. Yet I doubt they'll ever be prosecuted for it.

~~~
nickf
They did, yes. It was a code-signing certificate, and it was a relatively long
time ago. You'd be hard pressed to do that again.

Mistakes happen and always will - lessons were learned, procedures tightened.
Nowadays getting, say, an EV certificate mis-issued would be hard. Not
impossible as of course documents can be faked, people social-engineered - but
it's definitely not as simple as just asking for a certificate anymore.

Also - most CAs have insurance policies that can be claimed upon in the case
that a mis-issued certificate is used and causes financial loss.

------
nickf
I don't think it's a scam, no. Disclaimer: 'it' pays my wages.

As another poster mentioned, encryption is worthless without having some kind
of validation of the other end-point you're communicating with. Granted, the
CA industry has made some mis-steps in this regard (domain-only validation
certificates as an example), but we're doing things to rectify this situation
albeit slowly (the CAB forum and EV 'green bar' certificates).

Not only that, while the cost for certificates I believe can be justified,
it's dropped significantly over the years to the point where even the labour-
intensive EV certificates can be had for more reasonable costs. Site owners
really should be factoring the cost of certificate(s) into the operational
costs of owning and running a site nowadays - just as they must with the
domain, hosting, dns, email etc.

That said people like Eddy Nigg and his company StartCom are driving down the
costs of certificates (something I know isn't cheap or easy). As another
poster mentioned, you can get some basic certificates for free, or for not
much more than the cost of a domain elsewhere. And with Eddy's efforts, yes -
they work in 'most' modern browsers. More power to him.

~~~
wmf
_Site owners really should be factoring the cost of certificate(s) into the
operational costs of owning and running a site nowadays - just as they must
with the domain, hosting, dns, email etc._

That's no problem for big sites, but it doesn't work for the "long tail". When
a domain costs $8/year and you can get Web hosting ranging from free to
$100/year, any paid cert starts to look disproportionately expensive. People
will not blindly accept spending close to 50% of their budget on security.

------
wmf
It was a scam, but now you can get free certs from StartCom.

~~~
olalonde
Are they trusted by all browsers ?

~~~
nickf
StartCom were accepted into the Microsoft Root Program late last year, so they
work in 'most' modern browsers (IE, FF, Safari, Opera, Chrome etc.) They
unfortunately miss out on mobile devices, older browsers and a number of non-
browser SSL clients.

------
billpg
Hang on, this has been up for two hours and no-ones complained about the way
Firefox treats self signed certs yet. Normally we get six in the first hour.

------
billpg
Remember, if you can see a DNS request, you can be a man-in-the-middle. Until
that's fixed, CAs are still needed.

