In message <Pine.GSO.4.58.0404281950200.9806@clifden.donelan.com>, Sean Donelan writes:
Not that SSL certificates are worth the paper they aren't printed on; I still find this vaguely disturbing. Just who do you think your computer is trusting?
http://www.websheji.com/domain-names/news/id506.html Bob Parsons, CEO of Go Daddy, said that Starfield Technologies, a subsidiary of the company, bought an unused root certificate, trusted by 99% percent of the browsers from ValiCert Inc more than a year ago has been developing the system since then.
I'm not that interested in SSL for web servers, but I have noticed a gradual increase in the number of mail servers willing to STARTTLS with mine. I was experimenting with trying to verify some of the certificates presented, its not real security, but makes the logs cleaner.
Matt Blaze said it well: "A commercial CA will protect you from anyone from whom they won't take money." Put another way, what's your threat model? Against what threats are you trying to defend yourself? Rob Seastrom seems to be trying to defend himself against passive eavesdroppers, for which SSL without certificate verification is an entirely adequate defense. If your concern is phishing, however, you need to check the certificate chain, the policies of the trust anchor (AKA "root CA"), and its reputation for actually enforcing those policies with proper verification. Verisign, for example, was fooled a few years ago by someone who claimed to be Microsoft -- but they had sufficient back-end verification that the spoof was detected. Is this good enough? What's your threat model...? --Steve Bellovin, http://www.research.att.com/~smb