who do you trust, and why?

At UCO/Lick I oversee two sets of secure web pages -- those are the ones where the URL begins with https://, where the 's' indicates that the communications are secured by cryptographic means.  Have a look at the portal page for slit mask submission.  As it says in the lower paragraph, you won't be able to go to the secure page itself (we have multiple levels of security), but the focus here is on the upper paragraph.

I added the first paragraph because of e-mail from users who were alarmed by the message that Firefox 3 gave them.  Previous versions of Firefox had not been so in-your-face about the fact that our web server SSL certificate is "self-signed".  Self-signed is basically a way of saying that we did not pay a "Certificate Authority" (CA) for our certificate.  My paragraph of text is about how I considered the whole CA scheme to be a protection racket.

In today's news is a story of the presentation in Berlin which demonstrated that it's also an ineffective protection racket.  The authors showed the Chaos Communication Congress that they could create a SSL CA certificate which would let them manufacture more SSL certificates that all browsers would believe were valid.

That is to say, your web browser may say that it trusts a site and believes it to be the entity you intended to contact, but that may no longer be a statement with any meaning.

So, if you are accustomed to doing internet banking, or stock trading, or anything else where it is essential that your communications are known only to you and the official entity on the other side of your web browser, you may be in deep trouble.