Re: Expired certificate

[Dan Kaminsky <dan () doxpara com>]

On Thu, Jul 22, 2010 at 11:28 PM, Marsh Ray <marsh () extendedsubset com>wrote:

> On 07/22/2010 08:05 PM, Dan Kaminsky wrote:
>
> > That's $240K/yr being spent to manage three year expirations, just on
> > labor.
>
> Yep.
>
> But as Dr. Laura would say, "you knew that before you married her".
>
> Nobody said you had to go into that business, or that you were entitled to
> make a profit on it.


Nobody says they have to deploy secure endpoints, but the credit card
people, and even then only on a really restricted subset of sites.

There are fundamental sources of these failures that are not just "people
are stupid".  Remember the tales of failed +$100M PKI deployments around the
turn of the millenium?

Why do you think so much money got spent?


What might be the unintended consequences be of having 500 "secure" sites
> hosted by folks that can't manage to spend one day every three freakin'
> years on maintenance?
>
> It's one day every three years per server.  If you have a lot of servers,
it adds up.  And so, we back into the empirical reality -- people don't put
SSL on a lot of servers.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/