Penalizing Unauthenticated SSL Certificates
August 5th 2008 10:14 am
Mozilla, like most responsible web browsers, pops up a warning if someone visits a secure web site where the site’s crypto credentials have not been countersigned by a recognized certificate authority.
In Slashdot, Chandon Seldon arues that the Mozilla SSL Policy is Bad For the Web., which links to material by Nat Tuck saying, again, Mozilla SSL policy bad for the Web. The argument is that this policy violates net neutrality by forcing people into a commercial venue if they want their secure connections to be user friendly. The commentaries find this especially troublesome for nonprofit organizations.
This is nonsense. Net Neutrality is about connectivity. SSL is about security and assured identification. Web browsers pop up a complaint about authentication when they can’t verify a site’s identity - that’s what the browser is supposed to do. SSL certificate management is the best affirmative defense in the Internet today and these suggestions will only weaken it.The ‘net neutrality’ argument doesn’t apply - net neutrality is about connectivity for *everyone* whether white hat, black hat, infamous, or anonymous. Connectivity has everything to do about sharing and communication and nothing to do with trust.
Browser-based SSL is all about trust. To argue otherwise is to argue that banks are unfair when subjecting employees to background checks.
Those of us who look at such things know that the GUI for trust is already pretty fragile - most people haven’t a clue what the word ‘authentication’ means in the context of the Internet, and lots of people probably click through self-signed certificates anyway.
The last thing we want to do is make it easier for phishers to masquerade as legitimate sites. If we make it easier to ignore or misread the signs of an unauthenticated SSL site, then we make it easier for phishers.
I wish there were a way for a legitimate non-profit to get a ‘free’ SSL certificate that works in existing browsers. In my experience, however, that’s not the main challenge - or expense - for non-profits who want to host web services.
Leave a Reply
You must be logged in to post a comment.