Dear Google,
Please democratize SSL certificates. The ability to serve HTTPS:// pages without scaring users is currently controlled by a handful of “trusted authorities” whose business is to make it difficult to secure web communications. Google, you have the ability to disrupt this oligarchy and empower individuals to make the web safer.
The web is a safer place when information passed between browsers and web servers is encrypted — that is when URLs start with HTTPS instead of HTTP. The recent introduction of FireSheep demonstrated to the world just how insecure normal (HTTP) web communications are — anybody on your network with a simple browser plugin can impersonate you. In fact, FireSheep democratized the ability to steal session authentication by bundling it up in a manner that is easily used by the masses. Google’s own proposed SPDY protocol, whose primary goal is to make the web faster, is willing to slow down in the name of security. “Although SSL does introduce a latency penalty, we believe that the long-term future of the web depends on a secure network connection.” We all want a safer web, so please help us achieve that by making it easier to set up HTTPS on our web servers.
There is no technical challenge here. All modern browsers and servers are capable of safely encrypting the information passed between them. Encryption protects users against eavesdropping and session hijacking a la firesheep. Today’s challenge to secure web communications does not lie in the encryption, but the authentication. The HTTPS protocol begins with the server presenting its security “certificate” which is meant to assure the user they have not reached an imposter web site. This assurance is provided courtesy of the oligarchy of trusted certificate authorities, for a fee and a hassle. Alternately, servers can present a “self-signed certificate” which provides equally good encryption, but no assurance that the server is who it claims to be. But instead of recognizing self-signed certificates as being safer than no security at all, today’s popular browsers do their best to terrify and/or inconvenience users when visiting sites with self-signed certificates. Certainly there is some value in authenticating the web server, but is that value worth the cost of allowing eaves-dropping and session hi-jacking on the vast majority of web sites? I think not.
The current standard practice is backwards. An HTTPS request to a server using a self-signed certificate offers encryption but not authentication. This is clearly safer than a plain-text HTTP request, which offers neither encryption nor authentication. But browsers tell users that self-signed certs are worse than unsecured communications. (Chrome is actually worse than others.) Deploying SSL on a commercial scale is also complicated by shared IP addresses for multiple sites, which again interferes with authentication, but not encryption. The certificate verification UI already demonstrates varying levels of trust as shown below. But self-signed certificates which offer encryption without authentication are incorrectly indicated. Let’s remove the simple barriers which are preventing encrypted web communications.
The best technical path to fix this mess is immaterial here — many options exist. Changing browser behavior to make self-signed certs less scary is one path, although it’s not a complete solution because of the legacy of every installed browser. A new free service that signed anybody’s certificate with a trusted cert would work, provided that company had sufficient clout to get their root cert recognized. (Google, you can do this.) Empowering any domain registrar to sign SSL certs also makes sense since they’re the ones ultimately authenticating who owns a domain. This choice wouldn’t immediately bring certificate prices to zero, but would greatly accelerate the trend we already see of lowering prices. Perhaps a bloom-filter algorithm similar to what Chrome uses to identify malware sites could differentiate those sites whose identity has actually been verified through stricter measures, where self-signing should not be trusted. A deeper technical analysis is needed to determine the best tactics, but clearly Google has both the necessary skills and level of influence needed to effect this change.
Additionally, Google uniquely has the motivation to make the web safer. Google long ago recognized the value of primary demand stimulation — more web use means more web searches which means more advertising revenue for Google. Open standards do not advance without leadership from selfishly interested parties. The state of SSL certificates mirrors a political situation that desperately needs legislative intervention — a special interest group (the root certificate authorities) has a strong financial incentive to maintain status quo, even though every individual marginally benefits from the change. Google is the company that stands to benefit the most from a safer web. So please Google, act now to bring democracy to the safe exchange of information on the web by enabling anybody to freely secure their web traffic.