Hacker News new | past | comments | ask | show | jobs | submit login

SSL is ugly because of backwards compatibility with SSLv2. Version 2 and previous versions did not have a secure way to negotiate version, so Paul stuck the version in the RSA padding field. It was the best option under the circumstances, but definitely not preferable.

The other thing that makes it ugly are the huge numbers of cipher suites and reliance on certificates (and thus usually centralized CAs.) The cipher suite growth came about because of export controls and then Internet-standards groups not seeing a problem with adding vanity modes. The reliance on CAs can be worked around with using your own cert store or using TLS-SRP for authentication, which is sorely underused.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact