[cryptography] SSL is not "broken by design"

Andy Steingruebl andy at steingruebl.com
Mon Sep 19 11:53:55 EDT 2011


On Sun, Sep 18, 2011 at 2:01 PM, James A. Donald <jamesd at echeque.com> wrote:
>
> SSL fails at low security stuff in that it allows phishing,

<snark>
You know what else fails at fighting phishing?

- The locks on my car door
- The fence surrounding my house
- The full disk encryption on my laptop

</snark>

SSL wasn't designed to stop phishing, if sites don't deploy it with
mutual-auth it can't possibly do so.  Saying it is a failure because
it doesn't stop that ignores the problem it is designed to solve, or
at least some it could credibly claim to solve.

SSH doesn't solve phishing either.  Is it a total failure also?  I
don't think so.

SSL is used for a lot more than HTTPS.  Any proposal to "fix" it
*must* take that into account.

- Andy



More information about the cryptography mailing list