Trouble is:
a) the CAs themselves are not trustworthy; through incompetence or intentional betrayal of their clients they have often been found to give out certificates that claim to be trustworthy and representative of a given organization when in fact they're totally bogus.
b) There is something to be said for treating AUTHENTICATION distinctly from PRIVACY/SECURITY. You could hash / sign the message packets to ensure that they've been secure against enroute modifications between the endpoints of the connection as well as to ensure that the contents of the messages are private against interception between the communication endpoints. This has some value even if the authenticity of the endpoints of the communication aren't totally confirmed. I could be browsing something like a job search or personals forum or medical issues forum or something and the fact that it is encrypted would be helpful in assuring my privacy against my ISP or Employer or whoever isn't snooping on my interactions.
Sure you could always do a man in the middle impersonation attack to forge the identity of a site if that site isn't authenticated and validated by some globally trusted source(s), but that takes some explicit and somewhat complex actions to do. Without encryption you have zero privacy against even the most rudimentary packet sniffing or packet alterations / session hijacking et. al. anywhere along the path the data takes. I may be willing in many cases to have less than perfect authentication of a site but still want some probably enhanced chance of privacy in my communications with that site.
c) It is pretty much a scam in that you're paying to register a domain, so there's no good reason why you shouldn't "automatically" be able to have web sites or other services in that domain be automatically thought of as trustworthy relative to that domain being the origin of the data. To basically say that you have to pay for another registration just to take full (https) advantage of a domain that you're already the registered owner of is nonsensical. If the DNS services point to your hosts and the DNS records record a given entity as being the domain's owner then it is reasonable to assume that
https://www.domain.com is indeed an "official" host for the domain it has. If we don't trust DNS or domain registrars then why do we use those systems or insecure protocols / organizations at all? What is the point of "whois" data on a domain if we assume that it is all meaningless? Why not have DNSSEC or whatever if we can't trust the host you're actually contacting / looking up is the authentic host? None of this actually saves you if the web server / database is hacked into anyway since the individual pages themselves aren't "signed" by the CA, only the overall site's certificate. Plenty of "trustworthy" sites like Myspace / facebook / yahoo / whatever have been hacked so they're actually serving malicious web content even though the link is certified to be "authentic and encrypted" with HTTPS / SSL and a CA signature for the web site itself.
IMHO ALL web pages of ANY sort should be delivered over HTTPs just for the privacy / security improvements that offers. I do not think there's anything inherently wrong with doing that via self-signed certificates, though, since paying exorbitant and recurring rates to a CA just for a fully automatic certificate signing (that itself isn't really any better guarantee of security than having it absent) is a scam and certainly isn't affordable for most anyone except commercial entities. The CA signing fee per year exceeds the averave per capita income of several nations on earth; asking hundreds of dollars fees just to "secure" your web site is another demonstration of the misguided and elitist nature of the internet which should instead be the very perfect vehicle of equal / (nearly) free speech.
Just be glad we don't have to pay for DNS. :shocked:
Facebook
Twitter