The SSL Certificate Scam:
SSL encryption with internet traffic generally provides 2 benefits:
1) It protects the data sent back and forth over the internet from the client to the server from casual interception.
2) It provides assurances to the end user at the client that the website they have connected to is really who they say it is.
The first purpose can be handled with an SSL certificate created by anyone. The second purpose requires that the certificates being used by the servers are from a "trusted third party". What does it mean to be a trusted third party? Well, it means that the third party has pays thousands of dollars a year to a financial Auditing Company to review their Certificate generation policies and ensure that they confirm to "best practices"... considering the large numbers of websites out there where you can currently purchase an SSL certificate for a web server - best practices are quite weak:
At best, the third party has verified:
1) That the Domain name the SSL certificate is being issued for is owned by the Company doing the registration.
2) That any address information from the payment method for the SSL Certificate matches the company information[ie credit card, etc]
3) That the IP address that the SSL certificate is being issued for is used by at least one subdomain from the domain name that the SSL certificate is being issued for[from 1].
In practice, SSL CA's will accept payment from anyone. Because of the widespread use of so called 'DNS Privacy' options [aka fake addresses] for Domain Registrations CA's don't bother to check 1.
Furthermore, CA's don't perform any 'follow up'. Once a certificate is issued, it's good for a year and then it expires. So all you know about the IP Address/Domain Name linkage is that at the time the certificate was issued, domain name and the ip address may have been, in some way, related...if they bothered to check.
Once an SSL certificate has been issued, it can be in one of 4 possible states:
1) A Valid, un-expired SSL certificate
2) An invalid, un-expired SSL certificate
3) A Valid, expired SSL certificate
4) An invalid, expired SSL certificate
An invalid certificate means that the CA Authority maintains a database of fraudulent certificates so as to protect user privacy.
In practice, however, CA Authorities don't perform any followup, so the only certificates that are marked as invalid are ones that somone else has told them about...generally a LOT of someones as they don't bother to spend a lot of money researching a few reports.
Now consider your own browsing habits and how often you reach a website where you get a warning message because of an SSL certificate problem. After the economic meltdown, there were a large number of bankrupt, non-existant companies with websites that continue to run to this day. After years of running, most of them now give "expired certificate" warnings. They do not give "invalid/revoked certificate" warnings. Non-existant, bankrupt companies - and as far as the "trusted third parties" are concerned their certificates are still valid - and in some cases if they opted to purchase long expiration times - not even expired!
The "audits" that trusted third parties have to pass only address this sort of thing in passing. IF they choose to do follow up checks, THEN they have to follow certain rules. Considering the number of fraudulent certificates discovered, it is my belief that the only thing these "audits" prove is that the company pays thousands of dollars a year for a rubber stamp. The only difficulty I'm aware of is passing the audit the first time. Once you have passed, I'm not aware of any auditing firms coming back and revoking their findings. Even in high profile cases of monumental mistakes - the auditing firms don't foot the bill and re-audit everyone they have previously audited to ensure that there are no problems. So the only thing that a trusted third party really does to prove it is trustworthy is demonstrate that it can pay thousands of dollars a year to some company.
CA Authorities COULD easily and for the most part semi-automatically do these things. For every website certificate generated, they could have a server which monitors the website and if it is down for a week or more[indicating something happening] automatically revoke the certificate and generate a new one for free for the customer.
They could periodically scan the internet for all websites using certificates that they signed which have expired and then have someone follow up to ensure that the certificates are still valid[ie the company still exists and is still running that website].
However, all of that doesn't actually generate any revenue. So why should they? I would argue that they should do so because they put THEIR company name on that certificate at some point and it is their reputation on the line.
Instead they came up with a new idea. Extended Validity Certificates. http://en.wikipedia.org/wiki/Extended_Validation_Certificate
These certificates have a few extra hoops to jump through in order to receive one. In theory, they solve the problem created by the CA's to begin with - that identity was not really checked. And they do this in a brilliant manner, by charging customers more money!
This scheme, supported by most major browsers, is designed so that websites that are using an EV Certificate will appear even MORE trustworthy.
It is a relatively new program, first rolling out in 2008 and only really hitting it's stride after 2010. At first appearance it seems to be "the solution" because websites now using them are legitimate. But it has the same problems as the old scheme. Given a decade, there will be a large number of "expired" EV certificates. The trusted third parties aren't doing follow-up every few months to ensure that "legitimate" certificates aren't used for illegitimate purposes. And since it is the same companies issueing these EV Certificates which also issue the 'normal' certificates there is no reason to believe that they will do anything differently.
Based on all of this my own feeling is that purchasing SSL certificates is, at this point in time, just a scam. There is no added security to using one of them over using self signed certificates. In fact, the opposite - with self signed certificates you have the CHOICE of who to trust. With paid certificates, Google, Mozilla, or Microsoft chooses for you - and they don't allow you to choose to not trust one of these "trusted third parties".