Someone noted that he would trust his money but not his children to his banker, while he would trust his children but not his money to his mother-in-law. This is an important issue that informs my misgivings about my bank’s trust of Verisign and to each of nearly 100 other ‘certificate authorities’ as the means by which I am supposed to feel certain that my browser is indeed connected to my bank’s computer. Verisign is an unnecessary point of failure. Each time I log into my bank I am vulnerable to the unlikely event that Verisign has been compromised as well as my DNS service. Had I merely brought home from the physical bank building, a business card with the bank’s public key signature and entered it into my computer, I would avoid the Verisign vulnerability.
Recently I have learned the six clicks necessary to see the fingerprint of VeriSigns public key and recognize in it some of the correct bits. This sort of protects me from corruption via other CAs. I wish I could teach my browser to do this.
The bank proudly announce to me that I can take a picture with my cell phone of a check someone wrote to me and send it to the bank. I am free to ignore this possibility, except when someone else sends in a bogus picture of my account number and a simulacrum of my signature.
I trust the bank with much of my money but not so much with their crypto savvy. I don’t change banks because other banks are no better in this regard.