Re: Yes, it's about time, but…
Sure it is. Using it is still better than sending the data over the wire in plain text.
For DigiNotar to work, your victim would need to be using very old software. It's certificate as a root CA was revoked by pretty much everyone. As a cautionary tale for the whole CA system it is definitely a loud and clear example of what everyone knew was an issue. Unfortunately there is no panacea when it comes to security. You do what you can. The only true security is a one-time pad, but that is actually impossible to achieve in reality.
If you look at the mitmproxy tickets, you'd find out that Apple has pinned it's certificate (at least in iOS 6), which is exactly what should be done everywhere that it is possible. Since the certificate is not used over the wire, you'd need access to their device and the ability to change the certificate on it to your certificate.
So what's left? Well if you want to target specific sites that have mixed content (some SSL and some HTTP [preferably JS files, but CSS would also work]), you can proxy the traffic and inject your own JS code in the HTTP stream. SSL works by public/private keys to set up the connection. After that it is simple symmetric encryption. Your code would make repeated connections to the server with a block of text that you know. Known text attack is pretty simple for working out the symmetric key. If you've been caching the SSL packets, you can go back and decrypt that stream.
You've got good points, but just shouting the sky is falling on a forum is perhaps not the best thing to do. I mean, what if some PHB is reading the site and gets the idea that they can just stop using SSL on their services. ;)
It's better to point out that security is hard and SSL is not a panacea because it needs to be implemented correctly and carefully. When I was a SysAdmin, I used to tell my colleagues that if you wanted true security, you'd cut the cords off of your system, send it through an industrial wood chipper, embed that in a block of cement, and then drop that into the Marianas Trench. Then I'd be 99.999% sure you couldn't be hacked.
Biting the hand that feeds IT
