I've had several phone calls from irate customers demanding to disable
the anti-virus software because it would not allow him/her to run a
virus.
Any security system/software is only as good as the weakest link, which
in general is the human element. The real trick is that after you have
put the good technology in place, to back it up with good interface
design to make it very difficult for the client to do something truly
stupid. Then to train (bullshit?) the clients into believing that you
are the best thing since toasted cheese and that you are his/her savior
and that the security is right and that his demands for ease of use is
wrong.
Until people start really demanding security, companies like Microsoft
will be buzzword complaint but not really secure without a lot of extra
work and tools. There will always be the message box that you can press
that it is Ok to delete all your files or to mail the virus to everybody
or to accept the illegal certificate.
Until people become willing to give up functionality for security this
will always be a problem. It does not make the technology bad, just the
implementations of the technology.
Robert Sandilands
Thomas Nichols wrote:
>
> Well, with all the warnings about identity theft, etc, from all forms of media, you
>would think people would be somewhat more attentive
> about what is presented (I didn't say READ) on a computer screen. Especially if they
>intend to put their hard-earned cash out in the
> E-commerce world.
>
> Kurt Seifried wrote:
>
> > The basic problem is that most people do not check the keys (and will accept keys
>with warnings like out of date, self signed, or
> > pointing to the wrong site). This wasn't such an issue until Dug Song released a
>nicely packages click and compile tool. Most people
> > seem to think that SSH/SSL make things "Secure", well guess what, they don't. They
>help, and are certainly a bit better then
> > plaintext alternatives like telnet but they aren't perfect either.
> >
> > Kurt Seifried, [EMAIL PROTECTED]
> > SecurityPortal - your focal point for security on the 'net
> >
> > ----- Original Message -----
> > From: "Eric Rescorla" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Tuesday, December 19, 2000 10:09 AM
> > Subject: Re: Kurt Seifred's article on securityportal
> >
> > > "Greg Stark" <[EMAIL PROTECTED]> writes:
> > > > Kurt Seifried has written an article (www.securityportal.com) in which
> > > > he claims there are man-in-the-middle attacks against SSL. I think
> > > > his article is wrong, but he has conveniently left off enough technical
> > > > details of his attack so that he can always say he meant something else.
> > > >
> > > > The problem is that it is getting a surprising amount of play. I put in my
> > > > two cents on Slashdot yesterday, but today I saw some posts on
> > > > the IPSec mailing list referencing the Seifried article.
> > > >
> > > > I guess I am most curious about just what his man-in-the-middle
> > > > attack is? My guess is that he is claiming his MITM can replace the
> > > > legitimate server certificate with one of his own choosing. I suspect
> > > > Seifried doesn't understand the CN check which is performed by
> > > > SSL clients and outlined section 3 of
> > > > http://www.rfc-editor.org/rfc/rfc2818.txt.
> > > > If anybody can figure out what he is really claiming, please e-mail the
> > > > list.
> > > I wrote to Kurt about this yesterday but have yet to receive a response.
> > >
> > > Anyway, I suspect what he's referring to is the well-known observation
> > > that people are stupid enough to click through the browser provided
> > > warnings. If so, this isn't a flaw in SSL. [0]
> > >
> > > Aside from that attack, there aren't any known good man-in-the-middle
> > > attacks against SSL [0]. However, note that it's possible to undetectably
> > > tamper with the HTTP-fetched page containing the HTTPS URL and
> > > thus totally compromise SSL connections derived from that page.
> > >
> > > There's a lot more on this topic in Chapter 5 of "SSL and TLS".
> > >
> > > -Ekr
> > >
> > > [0] There are a few downgrade-to-export attacks which require
> > > being able to crack export-grade keys in real time. AFAICT, this
> > > isn't what he's talking about.
> > >
> > > [Eric Rescorla [EMAIL PROTECTED]]
> > > Author of "SSL and TLS: Designing and Building Secure Systems"
> > > http://www.rtfm.com/
> > >
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
