SSL isn't broken by this
It's the current CA/PKI system used with SSL which is broken, not SSL itself. If your application tells SSL to trust a particular certificate authority or certificate, that's exactly what it will do.
At least when I run a SSH tunnel (which also uses SSL)out of my corporate work environment using X forwarding I can display applications run remotely on my secured system displayed locally, and for which I personally get to check the SSL fingerprint of the SSH server. I do similar things with my server's SMTP/IMAP AUTH TLS cert when I setup email clients, and I got suitable warnings on all of them when I changed the TLS private key.
Moxie Marlinspike's Convergence protocol http://www.youtube.com/watch?v=Z7Wl2FW2TcA (long video - but well worth the time spent) shows that at least someone is trying to set something up so that end users don't need to match hex strings to do this job.
But none of this PKI problem (where you can choose usability or security but not both) can ever really be fixed without end to end DNSSEC.
- Infosec geniuses hack a Canon PRINTER and install DOOM
- Feature Be your own Big Brother: Monitoring your manor, the easy way
- Boffins say they've got Lithium batteries the wrong way around
- In a spin: Samsung accuses LG exec of washing machine SABOTAGE
- Phones 4u slips into administration after EE cuts ties with Brit mobe retailer