Quote:
Originally Posted by Bowser Koopa
Then you fail to understand the usefulness of HTTPS.
|
HTTPS is overhyped. It relies on the SSL certificate system which is flawed by design.
Let me explain.
The browsers have a list of root certificates which it trust. These root certificates are from certificate authorities.
Many people believe that they are safe - as long as they buy an expensive certificate from a costly high-end certificate authority with a good reputation.
The problem is that the browsers will trust the authenticity of a certificate as long as it is verified by
any root authority. It means that if only
one root certificate is compromised - then all certificates are compromised, also those certificates which were issued by other root authorities.
For example if some malware adds a fake root certificate to your browser, then all communication with HTTPS-protected sites is vulnerable to man-in-the-middle attacks.
So the "security" in SSL is way overhyped.
I think the real motivation behind Google's move is to force website owners to use certificates. That would give more turnover for the certificate authorities and it would also reduce privacy for website owners.