Tuesday, December 13, 2016

Are SSL certs really needed?

When I go to a well known site like google.com or amazon.com my main trust factor is a correctly spelled domain. On top of that, if all that is needed to establish a secure connection is a key pair generated by the correctly addressed domain what is the added value of third party's signature on say Google's public key?

Perhaps the only valid defense is they guard against a compromised DNS server or router but it seems kinda overkill especially when nobody is really guarding the integrity of your computer and browser software,

Sure, they do provide added security, but my point is whether it really addresses the weakest link in this connection. Can anyone hack your ISP's DNS or Router? It is pretty hard and rare these days. The weakest link however, by far, is your own browser where you could be seeing a fake address and a fake green light. Now, a virus that can do that is not that hard to build and we all know there are millions upon millions of people infected with computer viruses right now. How many are using a hacked DNS or a compromised router?

No comments:

Post a Comment