There have been some discussions recently on the subject of net neutrality. That got me to thinking about a recent report of 9,000 SSL certificates being revoked because of an error made by the certificate issuer, and the consequences of compulsory use of HTTPS as regards the Web being a free and open place.
Basically, if at some point in the future all websites have to use HTTPS, then all websites are dependent for their existence on an SSL certificate, because with no certificate no HTTPS, therefore no website.
The certificate issuer, GoDaddy, reckons they need to revoke all of these certificates in the interests of security. Yet, the security issue involved is that of man-in-the-middle attacks, a category of attack for which, as I and many others have pointed out, there is very little real-world evidence. The places where this would be a genuine concern are with online banking, credit card sales or the like. Yet, only a tiny proportion of websites engage in such activities.
I suppose it could be said that any given website is dependent on the registration of a domain and on hosting space, and that either could be revoked if the site is engaged in malpractice. That is true, however such domain or hosting-space suspension would only take place where some kind of malpractice was demonstratably involved. It would be unheard-of for nine thousand hosting accounts to be suspended all at once.
The root of the issue would seem to be that applying banking-standard security to all websites means treating all websites as if they were banks. The certificate issuer doesn't, after all, know which certificates are being used for money transactions and which purely for the sake of meeting Google's site-ranking demands. Unfortunately, that is bound to have an adverse impact on the sites which are not handling money. Any issue which demands swift action in the interests of banking security, will hit them as well.
The lowdown of this particular case seems to be that the certificate issuer requires webmasters to put a special code on the site which identifies it as the one reverenced in the certificate. However, the certificate provider's own software for checking this code was faulty, and as a result certificates were issued to sites where the code was not present, or had not been correctly set.
Now, I know there will be those extrapunitive individuals who will say it was the webmasters' fault for not setting the code correctly, but hey, who says that the certificate provider has the right to make such demands? Or, if they do have the right to make such demands, how far does their remit extend in that respect? Could a certificate issuer refuse a certificate unless the site complies with virtually any arbitrary demands of their own making? Well, in principle, I don't see what stops them.
If HTTPS were optional that might be one thing, but it seems that in the near future it may no longer be optional.
The root of the problem, of course, is that HTTPS is designed for high-security websites. When it is instead applied to all websites regardless of need, the existence of any noncompliant sites or encryption certificates degrades the security of the whole. Thus, to satisfy the needs of the few sites which do need high security, draconic regulation of the entire World Wide Web becomes necessary.
It doesn't bode well for the principle of net neutrality.
Site: iwrconsultancy Thread: blog/certs.htm