Anything short of end to end encryption using keys generated and stored locally on each user's device is purely symbolic. Why it still isn't the default is mind boggling.
Absolutely true.
There are some things that cannot be trusted to third parties today. Having trust certification managed by a certificate authority of any type stands revealed as absolute futility, given the multiple breaches of CAs over the past years, and the prevalence of things like Microsoft's Forefront "threat management gateway" and Packet Forensics' SSL-breaking man-in-the-middle machine, which dates back to 2010. References:
https://www.grc.com/fingerprints.htm and
http://www.wired.com/2010/03/packet-forensics/ ...in fact, major antivirus programs work by inserting themselves in the trust chain; see
http://rants.effu.se/2013/03/Arrogant-Anti-virus-Doesn't-Appreciate-Your-Choices for a discussion of one major player's encryption-subverting approach. Given that the antivirus industry is stuffed with East Bloc talent, allowing them to man-in-the-middle all your secure communications would seem to be a risk all its own.
It used to be that I'd feel comfortable using SSL and such, thinking it would stymie most bad guys and at least inconvenience the really sophisticated snoops. Turns out that's false confidence, bigtime. Otherwise your communications are about as secure as they'd be if you spoke only in pig latin. Meaning, not at all.
So between purloined or hacked CA certificates, SSL-breaking utilities and hardware that may be on any network you use or connect-through even indirectly, and man-in-the-middle-ware willingly installed by users and corporations, it's clear that anything that really needs encrypting needs tools entirely under the user's control. Fortunately these are plentiful, such as the superb, free GPGTools for OS X's Mail.app (
https://gpgtools.org). But people have to use them for them to work.
