Re: Growing Bad Practice with Login Forms

[Jason Coombs PivX Solutions <jcoombs () pivx com>]

Toro, Daniel wrote:
> Maybe the certificate is hard (near impossible?) to fake

certificate chain validation flaws exist in Internet Explorer, Mozilla, 
and other browsers that enable anyone to forge any server certificate.

I would say that certificate-based server authentication is dead, except 
that it is still produces huge annual revenues for the companies that 
sell this useless snake oil remedy for a problem that doesn't exist.

Nobody has trouble communicating their public key to the people who need 
to know what it is. Certificate chains presumed that this would be 
impossible in an overly-complicated anonymous commerce model across 
geographical and political boundaries in the borderless nirvana of 
cyberspace. Faulty presumption. End of technology? No, unfortunately not.

The tax man must be paid else the padlock will not appear. Certificates 
are a means of extracting money from people who want to do something 
meaningful with the Web. They are not a security countermeasure. Thus 
proof that they don't work doesn't cause them to go away... It just 
reveals their true purpose.

Most Secure Regards,

Jason Coombs
Jcoombs () pivx com