lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 23 Jul 2010 00:12:49 -0500
From: Marsh Ray <marsh@...endedsubset.com>
To: Dan Kaminsky <dan@...para.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Expired certificate

On 07/22/2010 10:40 PM, Dan Kaminsky wrote:
>
> Nobody says they have to deploy secure endpoints, but the credit card
> people, and even then only on a really restricted subset of sites.
>[...]
> It's one day every three years per server.  If you have a lot of
> servers, it adds up.  And so, we back into the empirical reality --
> people don't put SSL on a lot of servers.

Yeah it's a pain in the butt that cuts down a little on the adoption, no 
doubt about it.

Still, something inside me doesn't feel completely unhappy that there's 
this tiny little barrier-to-entry for serving https that my browser trusts.

Security, by definition, can never be 100% effortless or transparent. 
After all, on some level, its purpose is to make it harder to access the 
protected resource. Credentials only have value to the extent it can be 
counted on that no one else can get them, so some constraints are 
unavoidable. Credential constraints on the time axis (on the order of 
years) aren't exactly the worst idea I've ever heard.

The worst idea I've ever heard is probably this:
http://news.techworld.com/security/3228198/obama-internet-kill-switch-plan-approved-by-us-senate/?olo=rss

> There are fundamental sources of these failures that are not just
> "people are stupid".  Remember the tales of failed +$100M PKI
> deployments around the turn of the millenium?

I can imagine a PKI project failing.

But failing after $100M is spent can be only explained by business 
management problems. This is not a space program we're talking about 
after all, the PKI technology just isn't that risky.

> Why do you think so much money got spent?

Consultants!

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ