Re: Expired certificate

[Marsh Ray <marsh () extendedsubset com>]

On 07/22/2010 10:40 PM, Dan Kaminsky wrote:
> Nobody says they have to deploy secure endpoints, but the credit card
> people, and even then only on a really restricted subset of sites.
> [...]
> It's one day every three years per server.  If you have a lot of
> servers, it adds up.  And so, we back into the empirical reality --
> people don't put SSL on a lot of servers.

Yeah it's a pain in the butt that cuts down a little on the adoption, no 
doubt about it.

Still, something inside me doesn't feel completely unhappy that there's 
this tiny little barrier-to-entry for serving https that my browser trusts.

Security, by definition, can never be 100% effortless or transparent. 
After all, on some level, its purpose is to make it harder to access the 
protected resource. Credentials only have value to the extent it can be 
counted on that no one else can get them, so some constraints are 
unavoidable. Credential constraints on the time axis (on the order of 
years) aren't exactly the worst idea I've ever heard.

The worst idea I've ever heard is probably this:
http://news.techworld.com/security/3228198/obama-internet-kill-switch-plan-approved-by-us-senate/?olo=rss

> There are fundamental sources of these failures that are not just
> "people are stupid".  Remember the tales of failed +$100M PKI
> deployments around the turn of the millenium?

I can imagine a PKI project failing.

But failing after $100M is spent can be only explained by business 
management problems. This is not a space program we're talking about 
after all, the PKI technology just isn't that risky.

> Why do you think so much money got spent?

Consultants!

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/