This theoretically works for passive observation attacks but is not helpful against the threat outlined in the article -- the Man In The Middle attack.<p>As a hostile AP owner, I could intercept all SSL communication, originate it myself from the AP to the remote site and present my own forged self signed certificates to the AP user. The user would see a self signed certificate, not suspect that the AP was doing anything bad, meanwhile the AP could be harvesting all of the data in the connection, or even change it if it was somehow beneficial to the bad guy.<p>SSL keys work because there's preexisting chain of trust between you and the site you're visiting (because you trust the root CAs, and the site gets their certs, possibly indirectly, from the same root CA provider). With a self signed cert there's no preexisting chain of trust and the communication can not be secured.
<a href="http://cert.startcom.org/" rel="nofollow">http://cert.startcom.org/</a> offers free ssl certificates and they do some basic validation of domain ownership before issuing a certificate.<p>encourage more vendors to import their CA certificate into their browsers and you won't have to deal with the insecurity of self-signed certificates.
@iigs<p>Very true. I don't think this is the silver bullet that will end all attacks but it's one additional step to something better.<p>With Firefox 3, a huge error is displayed if I use a self-signed certificate which makes the user think this is not secure and they may leave.
I like this concept.<p>Top-tier firms do little in truly protecting the consumer. Fax a letterhead to them for proof that my business exists? Anyone can do that in 60 seconds with Microsoft Word.<p>The problem is that browser would need to be updated with this change. And how do you explain it to consumers?