Tuesday, November 18, 2014

SSL Certificates For The People

SSL encryption on the web has turned into an orgy of corporate influence and government interference. To enable the secure HTTPS protocol on your web site involves paying a small fortune to a "trusted" certificate "authority" for a certificate telling the world that you are who you say you are on the web.

Not only are they a scam that you have to pay into to have a secure web site, but all CA entities are trusted equally, even though some are shady as shit. Any CA can issue a certificate for any domain, and that certificate is automatically valid because it came from a "trusted" authority. Which means that _some_shady_CA can issue a trusted certificate for google.com and that certificate automatically becomes trusted by any browser surfing to it. There have been lots of documented incidents where hackers and repressive regimes use forged certificates from a shady CA to implement man-in-the-middle attacks against users who think they are browsing securely.

What's wrong with this picture: Large corporations given these CA contracts by politicians, with every web site on earth as a captive audience are responsible for creating trust on the web.

As broken as SSL is, currently it's the only game in town. Right now the two biggest problems:

1. Cost - Certificates are priced out of what small companies and individuals with web sites can afford to pay.

2. Trust - Most trusted certificate authorities don't seem that trustworthy, even though the entire system is based on their trust, which they sell for money.



Let's Encrypt


A new Certificate Authority has been created in conjunction with the EFF (Electronic Frontier Foundation) and a few other companies that give a flying fish about our privacy. It's a short list of good guys on the Internet, and the EFF is at the top of that list.

This site when it goes live will offer SSL certificates for free! A certificate I can afford from a CA that is actually trustworthy ... it doesn't sound right, but I'm exited that this may actually come to fruition.

Assuming it goes live, now small blogs and shops like me can offer the safety of encryption without borrowing money from relatives to afford being gouged for the certificates we need to have to make it happen.




No comments:

Post a Comment