It's the certificate authorities issuing the certificates, e.g. RapidSSL, who have to do the work, not the webmasters.
Criminals are about to lose a reliable attack vector for malware infection and phishing, thanks to Google's Certificate Transparency initiative that will force websites to enforce proper certificate security within a year. Stolen and mis-issued SSL certificates allow attackers to spin up malicious sites that pass browser …
You are still perpetually dependent on a single point of control with no meshing between others.
The irony was that SSL was never designed as proof of authenticity - all it ever was meant for was encryption. Full stop. The whole eco-system that hangs off the side of the authentication side of things is based on a false premise, and that's the sole single reason for this continuing to be a pain in the neck.
Yep. Every CA is a single point of failure.
So it's time to upgrade the Web to use distributed trust authorities. No single point of failure, the attacker has to compromise more than one independent trust authority to impersonate a site.
That's a central pillar of the M-Pin protocol (currently an IETF draft) and Milagro project (in incubation at Apache). Get on board and secure the web. And (by the way) secure the IoT!
"P.S. It's always possible to beat a Web of Trust with enough shills, and States are particularly well-resourced regarding identities and shills."
Right, but this is to stop criminals, not state actors. If a nation state wants your data really really badly, they can probably get it, even if they have to send round the heavy mob.
What about foreign states? This would be an excellent tool of espionage and subversion, and criminals can be sponsored by states or working for them as a plausible deniability angle. Bet you many of the Chinese hackers running today have state backing. Plus what about larger criminal enterprises which are virtually states unto themselves in terms of the power they can pull?
The authenticity bit is a major pain for me....I'd love to self-sign certificates and encrypt absolutely everything; but you have to cough up money (until recently) and bugger about with 3rd parties none of whom I have any reason to trust and all of whom are tagging your visitors as part of the authenticity check.
(from topic 'The whole mechanism sucks')
"The whole eco-system that hangs off the side of the authentication side of things is based on a false premise, and that's the sole single reason for this continuing to be a pain in the neck."
And the INTERNET TOLLBOOTH, aka "certification authorities", the cottage industry that sprang up in response to the "need", is now ENRICHED by this *kind* of "decision".
Are we ANY SAFER? what about FIREWALL APPLIANCES that (literally) do a 'man in the middle' and issue their OWN root certificates?
And, HOW is Google going to 'enforce' a site being UNTRUSTED???
And then there are the SMALL TIME (and private) web sites that can issue SELF-SIGNED certificates. Will they be automatically downloaded and installed if the user SAYS to do it? Or will they AUTOMATICALLY be BLOCKED now, because, Google?
And those cottage industries.. the TOLLBOOTH industry... pay the TOLL, or YOU cannot PLAY!
Damn right. I had buried Do No Evil a long time ago and now I'm looking at the grave and feeling quite annoyed actually. Couldn't evil companies just stay evil and be done with it ?
Okay, I will console myself by thinking that Google has a vested interest in this scheme since . . ummm . . . scammers don't use Google Ads. Yeah, that must be it.
What a relief, I almost thought I was going to regret something.
The web is NOT a safe place by design - virtually all web sites use so many external links and scripts that the entire process is a joke - this page on El Reg wants me to give it access to admedo.com, dpmsrv.com, google-analytics.com, googletagservices.com, and regmedia.co.uk - any one of these can slip something wet and nasty into my browser and beyond.
And El Reg is a relatively well behaved site - go to the commercial news sites and they can be asking me to give them access for 50+ sites. Hand me the diagonal cutters please.
Webmasters! Save yourself all this hassle and the possibility of being blacklisted on Google Search (99.98% marketshare) and Google Chrome (99.99% marketshare) with our new Google CA which takes care of everything for you and improves your pagerank. Just log into your Google account, ask for a certificate, and you will be automatically charged on your credit card. 10% discount if you use your Googlecard.
Excellent, one more reason for us to ignore certificate warnings. So now when my mothers favorite sewing site has certificate errors that she learns to ignore, it will make her so much safer when "the bank" that is asking her to verify her user information also has certificate errors.
All those in favour of forking the Internet, raise your hands.
Change the browser to forbid loading sites with certificate errors. Your mother should be prevented from going to a site that claims to be secure but is not. "http:" is for insecure sites, not "https:". Make the popup message read "This site is insecure but claims to be secure. We suggest you use Lynx to view it.".
Showing my age...