So over the last few years it seems like SSL has taken rather a beating from the security community. While the technical reasons are beyond my understanding, I understand the concepts and understand that SSL is becoming more and more insecure as new weaknesses are found.
My question to you guys is this:
If SSL is “broken”, is there a technology that can take its place? Is there a more secure alternative?
Any thoughts are appreciated! 🙂
(ps, I’m not specifically talking about HTTPS – I mean any SSL technology)
SSL is not broken. The protocol is designed to be robust, problems can be found in a specific cipher suite, and a patch is as simple as a one line configuration change using a new one. There are attacks like SSLStrip and ways of preventing it, such as HTTP STS.
The biggest problem is that people don’t use HTTPS often enough. This leads to problems like OWASP a9 which can be exploited by tools like firesheep.