SSL is holding back encryption on the Web

I have combined below 2 of my comments on a blog post over at http://www.owlfolio.org/htmletc/more-ssl-errors/ . I post them here as my own permanent copy.

Please stop treating self signed certs as worse than no security! I still can not understand why Mozilla treats a small increase in security as if it were a massive decrease. Give self signed certs equal status as no security.

First of all, don’t let people use self-signed. Really, just don’t. Their is no need for that.

You may not have a need but I do. This stubborn insistence on forcing encryption to be locked with identity verification has crippled the use of encryption on the web. Yes I understand the importance of the combination, but SSH handles the problem properly. The Perspectives extension takes the SSH model and adds another level of protection.

SSL certs are too much of a pain to get, setup and maintain. Small admin mistakes cause scary looking errors for end users, often when no actual problem exists.

If I use a self signed cert on my own website, I know I can trust it, I don’t need someone else to vouch for me! I can handle adding the cert in my browser, but my Wife and family get freaked out and the end result is we must teach them to ignore the error, or not use encryption. Not exactly the ideal outcome.

Yes MITM happens, but it’s not exactly common. The Perspectives extension is one better way to handle it.

Encryption without authentication is not useless, far less valuable, but not useless. As long as I continue to see the same cert, I don’t need anyone else to ‘authenticate’ my site for me! The same goes for the internal site I setup for work. When I tell people “this is our intranet web site”, I am vouching for the authenticity of the site. No one else need get involved.

If I can be certain that the Amazon.com website is presenting me with the same cert it has presented me with the last 50 times I went there, I can be reasonably confident that it is the real Amazon.com. If I know other people elsewhere are seeing the same cert I can be even more confident.