Beware of free SSL certificates - the criticism of the unchecked certificates is indeed correct. But the experts are sitting on a misconception here: why should I trust the CAs randomly delivered with my browser more than any other CA?
Of course, if I try to get a certificate from them (e.g., at the Trustcenter), I have to jump through all sorts of hoops to get the certificate. That seems very secure. But who guarantees that all certificates from this CA were issued according to the same pattern? That someone didn't feel like checking and simply confirmed a certificate without verification? Or that something was rigged?
Exactly. There is only the guarantee of the issuer. The company that issues me the certificate essentially checks itself. Of course, in Germany there are regulations for certificate authorities and, as far as I know, these include audits - but who guarantees that everything runs smoothly there? Given the level of corruption going on ...
I don't want to accuse the Trustcenter of anything here - on the contrary, we use their services in the company. But central certification authorities have a serious problem: the security and trustworthiness depend solely on the trustworthiness of the central authority. And browsers come with various certification authorities deemed trustworthy by the browser manufacturer - I don't decide that, someone else does.
This is the classic conflict between centralized certification and decentralized certification via a Web of Trust as it exists with OpenPGP or GPG. Of course, I can't trust everyone there either - but if I trust someone, I set that locally for myself. And this trust is not dependent on whether it is a large company with great boilerplate documents.
Without a Web of Trust structure, certification is still more of a facade than substance. Alongside the pearls, there are also pigs - and that's exactly what ct has found out. Great insight - we've been saying this from the PGP camp for years.