SSL isn't broken by this
It's the current CA/PKI system used with SSL which is broken, not SSL itself. If your application tells SSL to trust a particular certificate authority or certificate, that's exactly what it will do.
At least when I run a SSH tunnel (which also uses SSL)out of my corporate work environment using X forwarding I can display applications run remotely on my secured system displayed locally, and for which I personally get to check the SSL fingerprint of the SSH server. I do similar things with my server's SMTP/IMAP AUTH TLS cert when I setup email clients, and I got suitable warnings on all of them when I changed the TLS private key.
Moxie Marlinspike's Convergence protocol http://www.youtube.com/watch?v=Z7Wl2FW2TcA (long video - but well worth the time spent) shows that at least someone is trying to set something up so that end users don't need to match hex strings to do this job.
But none of this PKI problem (where you can choose usability or security but not both) can ever really be fixed without end to end DNSSEC.
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad