Like. Seriously. Nothing about it is good. It’s expensive, abstruse, unscalable, and confers few real world security benefits to users because no one knows how it fucking works. And yes, the system relies on users understanding it in order to operate.
Case in point: when you visit, say,
https://wordpress.com/ how do you know the page that loads for you is actually the actual WordPress site, as operated by Automattic, unadulterated by any malicious injected content?
Hint: it’s got something to do with the SSL certificate. And, no, it’s not just that the cert, i.e. the “HTTPS”, exists at all.
Second hint: At the time of writing, the internet connection I’m using intentionally breaks and interferes with my access to wordpress.com–and, in fact, almost all so-called “secure” sites–in a way that would be called a “man in the middle attack” if we weren’t doing it to ourselves. This occurrence isn’t even uncommon; I’d wager just about every medium-to-large corporate, government, or educational entity in the world does it to their staff/students.1
So. My question stands: how can you, The User, know this is happening? And if you don’t know, how can you trust a system that lies and deceives you so readily?
SSL is a hell of INFOSEC’s own making. If Heartbleed does nothing else, at least it’s forced out some acknowledgment of that fact.
- Note that’s “government” and “staff” not “government” and “public”. That being said, the technologies to intercept SSL are readily available so long as the “breaker” has the ability to position themselves in a direct line between the user and the site they’re trying to access. So corporate IT connections are easy, and technically ISPs can other infrastructure providers can do this too. Whether they actually do or not… well. YMMV on that one.