#ssl

Stalker, SSL Katja's horse.

sea creature reviews: "garnok"

Security, Security… The SSL Story

“We have to get our trust center going IMMEDIATELY!” “YES SIR”, we replied. Pulling aside the IT director, we started discussing what that really meant. One thing led to another, and before we knew it, we found ourselves reminiscing over a few beers…

Rip-off of the 21st Century: How Google Boosted the SSL Industry

Let’s rewind a bit, back to 2010. Dinosaurs weren’t roaming, cars were everywhere — not perfect, sure, but good enough.

Website security was straightforward. Regular websites? Chill, nothing special needed. Websites with logins? SSL was sensible — encrypt usernames and passwords, simple logic. E-commerce sites? Checkout security was a no-brainer. Simpler times indeed — our IT director once casually received over 50,000 credit card details via email (password-protected, naturally!) during a site migration.

Google faced occasional ranking confusion — sites existed as HTTP, HTTPS, www, and non-www versions. A small mess, but manageable and amusing.

Then, suddenly, 2011 arrived. Rumors started swirling: “Google rewards fully HTTPS sites!” Interesting, right? No actual security improvement required, just better SEO rankings and more visitors.

Fast-forward another year: HTTPS became mandatory. Browsers like Chrome began labeling non-HTTPS websites “unsafe,” although security wasn’t the primary reason — more a convenience thing. And certainly not the user’s convenience.

More Encryption, More Resources, More Profits

Encryption — required to support secure communication — isn’t free; it demands additional resources. Additional resources translated into requirements for larger, more expensive servers. Encryption doesn’t merely happen on the server; someone has to decrypt it. While desktops hardly noticed the difference, smartphones certainly did — demanding noticeably more RAM and CPU power. Hardware upgrades surged. SSL certificates became lucrative businesses overnight. Suddenly, free certificates from “letsencrypt” weren’t “good enough.” Companies shelled out money for essentially identical commercial SSL certificates, boosting profits for hosting providers, certificate issuers, and smartphone manufacturers. But wait, there’s more…

New Standards, Same Old Devices

A few years later came newer TLS standards — 1.0 to 1.3. Were newer versions significantly more secure? Only marginally, closing theoretical and academic vulnerabilities never exploited. Yet enforcing standards like TLS 1.2 and 1.3 forced users with older hardware — devices unable to support these new standards — to upgrade unnecessarily, funneling even more profits into the tech industry without boosting real-world security.

Security scanners? Oh god, we absolutely loved those. Our IT director regularly received dozens of panicked emails: “OMG our site is not secure, please help us fix it!” Yet, examining the scan details typically revealed only one “vulnerability”: support for perfectly functioning TLS 1.0. Occasionally, scanners were ordered without proper heads-up, causing our automated security systems to block them immediately. Another flurry of emails followed: “Please unblock our security scanner — it’s unable to scan the website!” But wait — if security was the goal, wasn’t blocking unknown scanners a good thing? “WRONG,” said corporate bosses, demanding immediate unblocking. Logic had officially left the chat…

The Reality of Our Trust Center

This brings us back to our Trust Center dilemma. Our SignalCLI platform’s security rivals Fort Knox. Logging in? Like walking between skyscrapers on a tightrope during a hurricane — fingerprints, selfies, the whole nine yards. Getting information out? Not exactly possible.

Yet, after lengthy debates, we recognized the need for “paperwork security” — documentation and policies designed mainly to appease compliance folks. Welcome to 21st-century security: installing antivirus software on Linux systems — completely unnecessary but required on paper. Bureaucratic security, not practical security.

Now, we’re proud owners of our Trust Center, complete with extensive paperwork that few read but compliance teams adore.

It reminded our IT director of another story, which I’m sure he won’t mind me sharing. A couple of decades ago, he was working for an international company and, wanting to know who he was hiring, insisted on participating in interviews. A candidate walked in, applying for a senior developer position.

“How’s your English?” our IT director asked.

“I have an upper-intermediate level,” the candidate replied confidently, proudly handing over his certificate.

Our IT director (a multilingual guy — and yes, I’m jealous) switched to English: “So, can you continue the interview in English?”

Silence. The candidate couldn’t understand or respond in English. But he had a certificate — that’s the important part, right?

Final Thoughts

Real security matters. Bureaucracy? Not so much.

Still, quite the SSL story, isn’t it?

Be good out there!