"Basically, the current CA system is - again, to put this as gently and politely as possible - fucking broken. Anything that forces the world to rely on it exclusively is not a solution, but is instead just going to make the problem worse."
Please keep that fact - that the CA system is, as I put it with all the gentleness and politeness it deserves, "fucking broken" beyond any repair - in mind.
(And no, "the CA system is fucking broken" is not an opinion; it is a verifiable fact, as much as the concept of gravity is a verifiable fact)
Just on my Debian box there are 173 entities (along with all their employees, disgruntled employees, hackers, and probably governments) who can sign a certificate for google.com that my computer will accept. I can think of five cases in as many years off the top of my head of a fake google.com (or related) certificate being found in the wild by Google because of various levels of CA incompetence and/or fraud.
Worse yet, this bungled attempt at authenticity has been awkwardly nailed to the much simpler (and in most cases much more important) question of cryptographic security, with the result that going through the absurd charade of convincing a CA of my identity is required simply to offer a client the assurance that I, whoever I may be and however much the client does or doesn't trust me, actually sent the message the client received and that nobody in transit could read it.
The idea of having to trust a central authority for verification is the root cause of the vast majority of the brokenness; it means that proper TLS-based security for the web is not only financially prohibitive for even individuals in developed nations, let alone developing (with very few exceptions in the CA space providing cheap or free certificates), but is also a single-point-of-failure in terms of security.
Nowadays, we have this magical thing called a "blockchain" that can be used for everything from currencies (Bitcoin) to domain names (Namecoin); with some further refinement, using a blockchain as a certificate authority would fix both problems right away.
I certainly agree it should be replaced, but I think it's a bit off the mark to say that self signed certificates should be trusted the same as CA signed ones (something that badrami was suggesting throughout the thread). Yes, certificates insufficiently identify a site's owner but self signed certificates are as bad as a CA's worst case scenario.
When it comes to security, you should always assume worst-case scenarios are going to occur.
In which case, the equivalence of self-signed and CA-signed is entirely on-the-mark. There's no real guarantee that the certificate authority is any more secure or trustworthy than, say, my five-year-old niece.
This is why decentralized systems (lately, that's been interpreted to mean "systems using a cryptographic ledger or blockchain" or "systems that rely on mesh topology graphs" (i.e. something similar to Namecoin or something similar to PGP, respectively), but those aren't the only models out there) are ultimately necessary for this; that way, you don't have to trust one arbitrary centralized authority, but instead can trust, say, a majority of a collection of hundreds or thousands or millions of such authorities coordinating via an agreed-upon protocol/convention/etc. My own bet would be on a cryptographic ledger (PGP-style webs-of-trust aren't nearly as end-user-friendly, whereas a "blockchain" has more potential in that area, since it's easier to abstract away from the end user), but pretty much anything at this point would be less convoluted - and more secure/trustworthy/effective - than the current system.
I disagree. There's a significant amount of security we gain from collectively using the CA system over self signed certificates. If a CA is subverted my browser or OS vendor can pull the CA or the CA, if trustworthy, can revoke the certificates.
Let's say a CA has issued certificates for example.com to someone with nefarious intent. It's discovered that the CA's security is completely compromised and my vendor pulls the plug. In our current scenario I can visit example.com while being MitM'd and my browser vendor has made sure I get a big alert when I connect.
In a scenario without CAs, I visit example.com and my browser vendor has no idea that I'm being MitM'd nor do I since I've never been to example.com and examined the certificate.
Is it perfect with CAs? No. Will some get victimized by a CA's carelessness regardless of when it's caught? Probably. But most of us remain more secure with it than without it. For most users on most sites it works albeit haphazardly. It should absolutely be replaced. But to suggest that the security benefits should be abandoned because it's possible that it could happen is short sighted. It would be open season on internet users.
> I disagree. There's a significant amount of security we gain from collectively using the CA system over self signed certificates.
You're actually losing security by trusting the CA model, though. You have no means of control or independent audit. This is the same reasoning behind free-and-open-source software being inherently more secure and trustworthy than their closed-source counterparts; "transparency is a dependency of trust" is just as applicable here as it is in any other security-sensitive situation.
This is why decentralization is absolutely essential, and the longer we go on sitting on our haunches and pretending that the current system is "good enough", the worse the problem becomes.
> If a CA is subverted my browser or OS vendor can pull the CA or the CA, if trustworthy, can revoke the certificates.
That trustworthiness is a very big if.
> In a scenario without CAs, I visit example.com and my browser vendor has no idea that I'm being MitM'd nor do I since I've never been to example.com and examined the certificate.
There are numerous ways to achieve certificate verification without relying on a centralized CA system. Even with self-signed, you can detect private key changes (this is how SSH is protected against MITM attacks; in practice, this rather-simple security measure has been very hard to circumvent). For more verification, there are plenty of ways to achieve that in a decentralized manner, be it web-of-trust (PGP-style) or a cryptographic ledger (Namecoin-style) or something else entirely. Hell, there are already systems like DNSChain that implement the latter approach; that would be infinitely better than the current system.
> But to suggest that the security benefits
What security benefits? All the purported "benefits" are entirely fictional, since they rely exclusively on arbitrary trust in arbitrary entities. That's not security, no more than me handing you a briefcase full of cash and you promising you'll hold onto it for me is "security".
The sense of security you feel with the current CA system is very much false. You're relying enirely on luck, and have absolutely zero assurance that your luck will continue to be good.
"Basically, the current CA system is - again, to put this as gently and politely as possible - fucking broken. Anything that forces the world to rely on it exclusively is not a solution, but is instead just going to make the problem worse."
Please keep that fact - that the CA system is, as I put it with all the gentleness and politeness it deserves, "fucking broken" beyond any repair - in mind.
(And no, "the CA system is fucking broken" is not an opinion; it is a verifiable fact, as much as the concept of gravity is a verifiable fact)