Submission + - Open CA Authorities 1
trainman writes: "With the release of Firefox 3, those who have been using self-signed certificates for SSL now face a huge issue, the big, scary warning FF3 issues which is very unintuitive for non-technical users. It seems Firefox is pushing more websites in to the monopolistic arms of companies such as Verisign.
While there is good reason for CAs, to ensure the certificate a user is presented actually belongs to the domain you're visiting instead of being the result of DNS spoofing. Most of the rational for the need (and cost) to verify certificate applicants revolves around ensuring the applicant isn't simply trying to take advantage of domain typos or other social engineering exploits.
However for smaller, especially non-profit groups, which will never have issues with domain typo scammers, this adds an extra and difficult to swallow cost. All the browser needs to do when visiting a site is ensure the certificate you're presented matches the domain you typed. Who that domain and certificate belong to is of no consequence. Surely a service such as this doesn't need the same level of scrutiny and cost since all that is being done is verifying domain and certificate match, not if the domain you've typed is the legitimate company you're seeking to contact. This extra hand holding adds a tremendous cost and allows monopolistic companies such as Verisign to thrive.
Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, no actual verification of who owns the domain. Leave that to the user."
While there is good reason for CAs, to ensure the certificate a user is presented actually belongs to the domain you're visiting instead of being the result of DNS spoofing. Most of the rational for the need (and cost) to verify certificate applicants revolves around ensuring the applicant isn't simply trying to take advantage of domain typos or other social engineering exploits.
However for smaller, especially non-profit groups, which will never have issues with domain typo scammers, this adds an extra and difficult to swallow cost. All the browser needs to do when visiting a site is ensure the certificate you're presented matches the domain you typed. Who that domain and certificate belong to is of no consequence. Surely a service such as this doesn't need the same level of scrutiny and cost since all that is being done is verifying domain and certificate match, not if the domain you've typed is the legitimate company you're seeking to contact. This extra hand holding adds a tremendous cost and allows monopolistic companies such as Verisign to thrive.
Can organizations such as Mozilla not move towards a model that helps break this monopoly, helping establish a CA root authority that's cheap (free?) and only links the certificate to the domain, no actual verification of who owns the domain. Leave that to the user."
