I have been reading emails lately from several mailing lists, and oddly enough the same subject is being discussed from as many angles as there are mailing lists. It made me think that I should actually put my thoughts down for people to read.
SSL has been touted as the answer to assurance of website identity,and while there is no doubt that SSL can play a significant role, it’s certainly not bulletproof as is shown by this and this. For the sake of argument though, we will ignore all the issues of assuring a companies identity. SSL encryption can’t tell you if you have been sent to the correct site, it only tells you if the DNS (looked up from your machine) matches the name in the certificate, this is a real weakness if someone or something has modified your hosts file or poisoned the DNS. This problem is made a lot worse by the fact that DNS is NOT secure.
“SSL would work a lot better if DNS were secured”, you say? Well it can be, but most people don’t, DNSSEC is designed to solve these problems. WikID is another choice, but it doesn’t solve the DNS insecurities it mitigates the threat by doing mutual authentication. I like DNSSEC because it can be done easily with existing software.
Another issue is the fact that DNS doesn’t have any way to tell you that the websites address doesn’t match the title being displayed by the HTML, so if a phishing site gets an SSL cert that matches their domain name something like https://myobviouslyfakeip-255-255-255-255.mynonexsisitantISP.com and the site says “eBay”, there is nothing that can be done.
Be default in several browsers, like IE, revocation checking isn’t turned on by default, this makes compromised certs re-usable.
Finally, because so many people don’t trust certificate authorities, are too cheap, or whatever and therefore choose to use self-signed certs users are conditioned to ignore warning boxes. This means that not only will users ignore all warnings to not do this, but the have been trained to think that this is not really a problem.
Now what about validating the ownership of a domain, how does a CA validate that the person asking for the SSL cert SHOULD be asking for it? Well you could try sending an email to the admin address in the resource record, if that email is updated, and works and is published. You could ask for some paper proof, if the persons on the paperwork is the name of the person doing the requesting. But the only REAL way to check ownership of the domain is to register the domain from the CA, or for the person doing the requesting to do some administrative task.
Well if the requester were to transfer DNS to the CA, that would prove ownership, and the CA could secure the DNS with DNSSEC, now the DNS is safe. Another choice would be for the actual registration of a domain to actually happen at the CA
StartCom Web of Trust 
I am extremely inspired with your writing skills and also with the format to your blog.
Is this a paid subject or did you customize it your self?
Either way keep up the excellent quality writing, it is rare to peer a great blog like this one nowadays..
Comment by Joey — March 27, 2014 @ 4:33 pm