Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Seth David Schoen <schoen@eff.org>]

Nicolas Williams writes:

> In particular it's important to distinguish sites that serve HTTPS just
> because from sites that serve HTTPS because they really ought to, and
> from sites that serve HTTPS as part of being attack sites.
> 
> If it turns out that 97% of sites that accept credit card payments have
> invalid certs (in some way or another), then we'd definitely have a
> problem.  I suspect that's not the case though.

In an earlier message in this thread you suggested that "sites that
ought to be using HTTPS with valid certs" were "banks, payment sites,
shopping sites that accept credit cards, etcetera".

I think one of the most positive developments of the past two years
has been the increased recognition that financial information is
not the only information that is private or sensitive, and hence not
the only information that should be protected with HTTPS.  Thus we
have HTTPS available for webmail, search engines, social networking,
an encyclopedia, blogging and microblogging platforms, government
agencies, newspapers, and direct-to-consumer DNA testing services.

Many Internet users regularly give their credit cards (complete with
CVV2!) to strangers in stores and restaurants, maybe a half-dozen
times a day, but would never want the people they encounter in their
daily lives to know what they search for on Google or Wikipedia.  We
can make a lot of progress for privacy and information security by
further breaking the reflexive association between HTTPS and credit
card numbers and the stereotype that there's only one kind of web
site for which HTTPS is appropriate.