I agree that the lock icon/logo as used in pgp.com may mislead users to think this is a protected site. But I think there is a bigger threat here. As your demo at http://iang.org/ssl/ shows, a spoofing site could present the logo of the victim site. Now, most users don't even check the SSL logo.
In fact, many `serious` web sites ask users to enter passwords etc. in pages which are NOT PROTECTED, usually relying on a script in the page to invoke SSL just before submitting the information; this implies that a spoofing/phishing site can present the same content and collect the unencrypted passwords... I found such vulnerabilities in many of the most prestigious web sites, including Microsoft's Passport, Chase, E-Bay, Amazon, Yahoo! and TD Waterhouse (see screen shots at fig 5 of http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm).
So my conclusion is: the problem is not with SSL/TLS, the problem is in their current use by browsers (and we present a possible fix in the paper). You can't sue the condom maker if it failed to protect it, although you've put it on carefully - but too late. Or if your partner promised to use it, but forgot.
So while `SSL is harmful` sounds sexy, I think it is misleading. Maybe `Stop SSL-Abuse!`
--
Best regards,
Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography & security)
begin:vcard fn:Amir Herzberg n:Herzberg;Amir org:Bar Ilan University;Computer Science adr:;;;Ramat Gan ;;52900;Israel email;internet:[EMAIL PROTECTED] title:Associate Professor tel;work:+972-3-531-8863 tel;fax:+972-3-531-8863 x-mozilla-html:FALSE url:http://AmirHerzberg.com version:2.1 end:vcard
