Full Disclosure mailing list archives
Re: Expired certificate
From: Marsh Ray <marsh () extendedsubset com>
Date: Fri, 23 Jul 2010 00:12:49 -0500
On 07/22/2010 10:40 PM, Dan Kaminsky wrote:
Nobody says they have to deploy secure endpoints, but the credit card people, and even then only on a really restricted subset of sites. [...] It's one day every three years per server. If you have a lot of servers, it adds up. And so, we back into the empirical reality -- people don't put SSL on a lot of servers.
Yeah it's a pain in the butt that cuts down a little on the adoption, no doubt about it. Still, something inside me doesn't feel completely unhappy that there's this tiny little barrier-to-entry for serving https that my browser trusts. Security, by definition, can never be 100% effortless or transparent. After all, on some level, its purpose is to make it harder to access the protected resource. Credentials only have value to the extent it can be counted on that no one else can get them, so some constraints are unavoidable. Credential constraints on the time axis (on the order of years) aren't exactly the worst idea I've ever heard. The worst idea I've ever heard is probably this: http://news.techworld.com/security/3228198/obama-internet-kill-switch-plan-approved-by-us-senate/?olo=rss
There are fundamental sources of these failures that are not just "people are stupid". Remember the tales of failed +$100M PKI deployments around the turn of the millenium?
I can imagine a PKI project failing. But failing after $100M is spent can be only explained by business management problems. This is not a space program we're talking about after all, the PKI technology just isn't that risky.
Why do you think so much money got spent?
Consultants! - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Expired certificate, (continued)
- Re: Expired certificate bk (Jul 16)
- Re: Expired certificate Junk Meat (Jul 16)
- Re: Expired certificate bk (Jul 16)
- Re: Expired certificate Junk Meat (Jul 17)
- Re: Expired certificate Dan Kaminsky (Jul 17)
- Re: Expired certificate Pavel Kankovsky (Jul 18)
- Re: Expired certificate Marsh Ray (Jul 20)
- Re: Expired certificate Dan Kaminsky (Jul 22)
- Re: Expired certificate Marsh Ray (Jul 22)
- Re: Expired certificate Dan Kaminsky (Jul 22)
- Re: Expired certificate Marsh Ray (Jul 22)
- Re: Expired certificate bk (Jul 23)
- Re: Expired certificate bk (Jul 16)
- Re: Expired certificate Meadow (Jul 23)
- Re: Expired certificate Marsh Ray (Jul 24)
- Re: Expired certificate Pavel Kankovsky (Jul 24)
- Re: Expired certificate Dan Kaminsky (Jul 24)
- Re: Expired certificate Dan Kaminsky (Jul 24)
- Re: Expired certificate Pavel Kankovsky (Jul 25)
- Re: Expired certificate Dan Kaminsky (Jul 25)
- Re: Expired certificate Marsh Ray (Jul 26)