lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 22 Jul 2010 21:05:56 -0400
From: Dan Kaminsky <dan@...para.com>
To: Marsh Ray <marsh@...endedsubset.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Expired certificate

> Operationally, it just shouldn't be that big a deal to schedule a
> maintenance every few years. Like expiring domain registrations, the hardest
> part is simply to not lose track of it. The Accounting dept in an
> organization can sometimes help to not forget that stuff.
>
>
Shouldn't?  That's a nice word.

What does the data say?

Suppose I have five hundred web servers with five hundred expiration dates,
strewn out roughly uniformly over a three year period.  That means, I have
about one expiration every two days.

Now, to run a change:

1) A purchase must be made, of the thing to be changed
2) A meeting must be scheduled, to organize the change (especially if, as
you suggest, an external organization tracks these things)
3) An administrator must be tapped to implement the change in non-peak time
4) The change must happen
5) The change must be tested and validated
6) The new expiration time must be confirmed for tracking purposes

Lets say this is 8 man hours.  That means this is 4,000 man hours of work.
Assume the employee doing this work has an average cost to the company of
$60/hr (remember, you need to roughly double the cost of a full time
employee, after you factor in benefits, payroll taxes, etc).

That's $240K/yr being spent to manage three year expirations, just on labor.

And, of course, you see the result of this:  People don't go ahead and put
500 different certs on 500 different machines.  Instead, you end up with an
Internet having but a million SSL endpoints, only half of which even pretend
to have a validating certificate.

Costs can hide.  Consequences are another matter.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ