Or so sayeth new research.

“So what?” you may very well ask. I don’t blame you; this is the problem with SSL in a nutshell. No one knows what it’s fucking for. People think “encryption” and “security”, because that’s what they’ve been told to think, except no, actually. SSL is for neither of those things.

The point of SSL–the original, why-we-have-this-system point–was to link an online presence with a real-world entity. The idea was that SSL certificates would be issued by a trusted third party, the Certificate Authority (CA), who would go out to a legitimate business and conduct an audit and interview, confirming that, a) they were a legitimate business, and b) that they actually owned the website they were attempting to procure the certificate for. SSL’s original use case, in other words, was to try and provide an assurance that, for example, commbank.com.au was, in fact, the actual site of the brick-and-mortar Commonwealth Bank.

Encryption (a.k.a. “security”) was a side-effect.

The fact that almost no one nowadays realises this–even a lot of people within IT and even INFOSEC struggle with it–is because SSL was broken pretty much as soon as it was implemented. Partly because the business model is bad (that’s another rant), but mainly because the system’s efficacy relies on end users–that’s you people–knowing how the system works. If you do not understand SSL–and almost no one does–then it is worse than useless.

That isn’t your fault, by the way; blame the people who implemented the architecture.

SSL is broken. And, sadly, there’s nothing you can do about it.