"Short of coming up with a way to create a trustworthy CA that runs for less than $20 a year, there is no great solution to this problem."
Good point. You won't find it - performing proper background checks cost more than that.
That's not to say you can't get cheap certificates - they're the domain-only validated ones where you only have to prove ownership of the domain.
These are bad because they appear the same as properly-validated certs when they shouldn't. Kaminsky's recent work shows the DNS system can't always be trusted, and so certificates validated on that weak system cannot be trusted either.
However, until GoDaddy and Geotrust stop having lots to lose from DV certs being marked-down by browsers, I doubt they'll let MS, Opera, Mozilla and the rest do such a thing.
Good point. You won't find it - performing proper background checks cost more than that.
That's not to say you can't get cheap certificates - they're the domain-only validated ones where you only have to prove ownership of the domain. These are bad because they appear the same as properly-validated certs when they shouldn't. Kaminsky's recent work shows the DNS system can't always be trusted, and so certificates validated on that weak system cannot be trusted either.
However, until GoDaddy and Geotrust stop having lots to lose from DV certs being marked-down by browsers, I doubt they'll let MS, Opera, Mozilla and the rest do such a thing.