| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Jul 2010 23:40:41 -0400
From: Dan Kaminsky <dan@...para.com>
To: Marsh Ray <marsh@...endedsubset.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Expired certificate
On Thu, Jul 22, 2010 at 11:28 PM, Marsh Ray <marsh@...endedsubset.com>wrote:
> On 07/22/2010 08:05 PM, Dan Kaminsky wrote:
>
>>
>> That's $240K/yr being spent to manage three year expirations, just on
>> labor.
>>
>
> Yep.
>
> But as Dr. Laura would say, "you knew that before you married her".
>
> Nobody said you had to go into that business, or that you were entitled to
> make a profit on it.
Nobody says they have to deploy secure endpoints, but the credit card
people, and even then only on a really restricted subset of sites.
There are fundamental sources of these failures that are not just "people
are stupid". Remember the tales of failed +$100M PKI deployments around the
turn of the millenium?
Why do you think so much money got spent?
What might be the unintended consequences be of having 500 "secure" sites
> hosted by folks that can't manage to spend one day every three freakin'
> years on maintenance?
>
> It's one day every three years per server. If you have a lot of servers,
it adds up. And so, we back into the empirical reality -- people don't put
SSL on a lot of servers.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists