Most people have some awareness of SSL certificates, which are used extensively in ecommerce. A smaller subset of people understand email certificates, which are used to enable encrypted emails between individuals. Email certificates are cumbersome, requiring a download and then an exchange of certificates, and so there is limited adoption outside of the corporate world.
Awareness is not understanding, as Darkreading points out: SSL Still Mostly Misunderstood:
"It has been a rough year for SSL, with the groundbreaking man-in-the-middle hack by researcher Moxie Marlinspike, which dupes a user into thinking he's in an HTTPS session when in reality he has been taken elsewhere by the attacker, as well as a demonstration by researcher Mike Zusman showing how several certificate authorities (CAs) themselves are vulnerable to attacks when issuing SSL certificates. And Dan Kaminsky at Black Hat USA exposed critical flaws in X.509 certificate technology used in SSL."
Forged certificates are a real problem: Forged PayPal certificate fools IE, Chrome and Safari.
The issuance of both email and SSL certificates is at best archaic. How do you know the certificate is legitimate? What if the certificate authority goes away? Thwte email certificates will die next month (see Slashdot), leaving their customers with the option of getting a free one year certificate from VeriSign, which they will need to send to all of their contacts. It's a hassle.
DNSSEC is a complementary technology that can make SSL and email certificates truly trustworthy. Howard Eland of Afilias has a nice summary of how DNSSEC complements SSL here.
I find it frustrating that so few people even in the technical community fail to understand the crying need for DNSSEC and how it makes existing security technologies better rather than replacing them. It will make all of our lives easier, save money and time and help the world economy.
Comments