Because if I'm on your wifi in your garage, I can spoof a site that has signed, unverified certificates and steal logins just as easily as if it were over the clear.
All I have to do is drop a machine on the network, say it's paypal.com and give it my own self signed SSL. Your computer looks on the network, finds paypal.com, pulls it up and you just implicitly trust the self signed SSL.
Encrpytion without verification is just security theatre.
so... how about browsers warn when they're pulling a an address off a DNS they've never heard of, and that isn't listed and isn't verified? Wouldn't that be a much saner way of dealing with the problem?
DNS has nothing to do with it. They can arp-spoof your machine into thinking their machine is the gateway. Then all your traffic goes through their machine. If you don't verify certificates, then they could just present you a self-signed cert that they used to decrypt your requests, then re-encrypt them and forward to the real site. If your browser didn't warn you, you'd never know.
Seriously, watch the video. Even though your browser warns you, you're still very vulnerable. If you just type bankofamerica.com, anybody on your network could easily trick you in to divulging your password. You have to type the "https" in yourself and trust that your browser verifies certificates correctly.
All I have to do is drop a machine on the network, say it's paypal.com and give it my own self signed SSL. Your computer looks on the network, finds paypal.com, pulls it up and you just implicitly trust the self signed SSL.
Encrpytion without verification is just security theatre.