Hi malware fighters,
According to this man it is time to bury SSL altogether.
re:
http://blogs.securiteam.com/index.php/archives/1228The problem with SSL is that checking some-one's identity is a futile business now.
In the past it could take quite some time before a firm was passed a certificate,
but times have changed in this respect.
"To-day it is not easy to proof who "you" are.
Firms have various websites for various purposes,
and it is not easy to withhold a certificate on the same grounds.
But the situation is even worse: SSL-certificates are abused to such an extent,
that users seemingly do not care any longer."
Aviram notices that for the larger part users ignore CA errors messages .
"SSL-certificates are broke, and have been so for a long time,
not because of a ingenuous attack.
The fact that there is a effective crypto-attack,
only can help to finally bury this relict,
and help towards another solution found."
polonus