Re: [TLS] Eleven out of every ten SSL certs aren't valid

[Martin Rex <mrex@sap.com>]

Seth David Schoen wrote:
> 
> Nicolas Williams writes:
> 
> I think one of the most positive developments of the past two years
> has been the increased recognition that financial information is
> not the only information that is private or sensitive, and hence not
> the only information that should be protected with HTTPS.  Thus we
> have HTTPS available for webmail

*Cough*  you mean like the www.hotmail.com login page?

There are also a number of webmail hosters that restrict the usage
of TLS to the login procedure.


>
> search engines,

Which of the default search engines or search toolbars use HTTPS?
(btw. https://www.bing.com also hits the wrong akamai servers).

I'm actually more concerned how google snoops my searches
(e.g. with redirecting all hits through itself).

https://www.google.com  calls itself "beta", and doesn't seem to
use Web 2.0 yet.  Security would go down the drain if you would
use the service that is offered at http://www.google.com under
TLS protection because of Web 2.0 -- an attacker could determine
what you type by simple traffic analysis of the encrypted server replies.


>
> social networking,

Oh yeah, it is very important that the stuff you publish on facebook
is only visibible to its x00 million users and not the rest.  :)


>
> an encyclopedia, blogging and microblogging platforms, government
> agencies, newspapers, and direct-to-consumer DNA testing services.

As long as providing content under TLS protection requires a significant
investment on the side of the content provider, it will only happen if
there is a business model to charge those costs back to the consumers/users.

Currently, even those who charge keep a significant amount of their
content outside of the TLS-protected area.


-Martin