The certificate security model peddled in SSL today is a joke, and here's why:

First of all, the supposedly trustworthy corporations that function as Certificate Authorities aren't. For example, it is not actually that hard to fool Verisign into believing that you represent Microsoft, as was famously demonstrated in 2001. As Lawrence Lessig points out, all of these "authorities" have adopted certificate security policies that enthusiastically disclaim any liability for any kind of mistake or incompetence whatsoever. Their interest is to sell as many certificates as possible, which aligns very poorly, if at all, with your interest in reliably identifying web servers.

An even worse flaw in SSL is that it is so poorly understood, by site operators and web surfers alike, that the legitimate warnings it generates are completely ignored in the ocean of bogus errors and false alarms. Everyone browsing the Web is acclimated to random failures and error messages--broken links, server timeouts, and so on and so forth. This means that when a browser attempts to warn of a fake certificate, the person clicks OK without reading, much less understanding, what went wrong.

Joe AOL doesn't know the difference between http and ftp, but we award him the responsibility to evaluate the trustworthiness of random certificates with signature chains that are seven links long, issued by distant corporations that he has never heard of. We did this to Joe because in about 1995, we were tripping over ourselves to get him to use his credit card on the Internet, so of course we did not want to make it sound like there was anything hard about Internet security.

I have operated SSL servers with untrusted certificates for more than four years, and I know the certificates have been used by about five hundred people. Exactly two of them have ever written to ask whether the certificate error was something to worry about. (Congratulations to Professors Zook and Fitzpatrick!)

When I run into a certificate problem myself, I ignore it, because I know that it is far more likely that the site operators have screwed up their certificate installations than that somebody is actually trying to fool me.

So we see, average users have not gained any meaningful security, because they do not understand certificates well enough to differentiate a false alarm from a real problem. Educated users have not gained any meaningful security, because the system is too sloppy and we are forced to tolerate too many honest mistakes. The only place where SSL has succeeded very well is in allowing sleazy companies like Verisign to sustain their business model of establishing a monopoly on some trivial service, then charging exorbitant rates. Last I checked, it cost more than $500 per year for a certificate signed by Verisign.

This is why I do not have one of their certificates: I pay for this site out of my pocket, and I have much better things to spend $500 on than snake oil.

23 Sep 2004 00:00 PT - persistent link - trackback - 0 comments