On 09/08/2013 09:33 PM, Dale wrote: > Someone found this and sent it to me. > > http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html > > > I'm not to concerned about the political aspect of this but do have to > wonder what this means when we use sites that are supposed to be secure > and use HTTPS. From reading that, it seems that even URLs with HTTPS > are not secure. Is it reasonable to expect that even connections > between say me and my bank are not really secure? >
The CA infrastructure was never secure. It exists to transfer money away from website owners and into the bank accounts of the CAs and browser makers. Security may be one of their goals, but it's certainly not the motivating one. To avoid a tirade here, I've already written about this: [1] http://michael.orlitzky.com/articles/in_defense_of_self-signed_certificates.php [2] http://michael.orlitzky.com/articles/why_im_against_ca-signed_certificates.php Warning: they're highly ranty, and mostly preach to the choir in that I don't give a ton of background. The tl;dr is, use a 4096-bit self signed certificate combined with pinning. It's not perfect, but it's as good as it gets unless you plan to make a trip to each website's datacenter in person.
