You're exaggerating here. Yes you have to buy a certificate if you want the public to connect. But if you're in a corporate environment you can run your own SSL root CA and have it all for free. If you're doing inter-business transfers then the both of you can trust each other's root CAs and away you go.ManipUni said:
I hate the way certificates are handled today... They basically put a gun to your head and demand money in order to establish an SSL connection.
I know, man-in-the-middle attacks! Well sorry but can we not have an encrypted connection without protection against man-in-the-middle attacks? Why is it every other protocol has support for basic SSL encryption without certificate verification except HTTP?
Internet Explorer's implementation is annoying, WebClient and Firefox's implementations are a pain in the *.
It's not a protocol problem either with HTTP, it's how the browsers handle it. You don't have to have validatity check if you don't want to in your own code, as Klaus's experiment shows