Re:Bollocks (Score 2, Informative)

DING! DING! DING! The most secure of systems can be brought down by a simple configuration error. TLS/SSL is certainly not to blame here. Instead it's individuals'/vendors' misunderstanding of the TLS/SSL protocol. First let's set one thing straight, it is not encryption at issue here - it is *authentication*. Plain-text SSL encryption has nothing to do with the vulnerability per se. The real problem is the browser's allowance of a "bilaterally anonymous SSL connection". In other words the spoofer's SSL server requests that an authentication handshake is not necessary during the SSL negotiation protocol. That's certainly an allowable configuration option according to the TLS IETF specification, but just because it is defined does not mean it should be an allowed, especially by default. But guess what, that's what the browser vendors have apparently done. BAD! And so easy to fix (about six words in OpenSSL). But this also demonstrates a flawed manner of thinking about client-server trust in WWW computing. Often people assume that SSL protects your "sensitive data" from being pilfered. True in a sense (of course that data ends up sitting plaintext in a non-secure database somewhere overseas), but you can utilize that very same encryption with in a bi-laterally anonymous SSL connection, or in other words SSL/TLS encryption has almost nothing to do with certificates. The problem being missed is one of trust. SSL/TLS (in good practice) should be used to create an encrypted connection with a *trusted party*. What business does a browser have connecting to an anoymous server with SSL/TLS, it completely defeats the purpose of it? The UI fakeouts aside the one, true way to fix this is to ensure that vendors configure their browsers to always require a valid certificate from a server when utilizing a SSL/TLS connection. It would be nice to provide someway to disable this feature for us more security initiated users but the rest of the community would probably never care nor notice. It would also be genuinely nice if user's were educated by their browser during such security incidents. For instance, when the user is conducting an SSL negotation with a nefarious server that offers up a certificate signed by an unknown or untrusted Certificate Authority the browser should be prompt the user to read very carefully the consequences of accepting the server certificate, and why it's not being trusted in the first place - vague dialogues breed bad user actions/reactions and the user is no wiser having clicked a button to make the annoyance go away. In short, hey vendors, don't allow the browsers to ever make SSL/TLS connections with an untrusted party!!!