The analogy offered by the IPCop FAQ is that use of SSL or SSH without good system protection is like using an armored car to move money to a bank that is made of cardboard. Cheers, Chris Glossary: IPCop is a linux based firewall system. SSL is Secure Sockets Layer. SSH is Secure Shell. FAQ is Frequently Asked Questions. Zot O'Connor wrote: >A few points to add to the fray: > >1) Things like SSL are *minimum* steps. If a site does not even have >SSL up and running, it tells me volumes about their *lack* of skill. >Having it does not mean the credit card is not stored on a flat file >available via network neighborhood, buts its a start. > >2) Even weak cryptography raises the bar phenomenally. I have done >clean up jobs on boxes that has every single password for an ISP based >on POP, FTP and telnet passwords. It was in a nice neat formatted >file. Had the information been encrypted, it would have raised the bar. > >3) So bad encryption worst problem is a false sense of security. Had >the script kiddees in the box in #2 had a ssh cracker, ssl crack, or >other, they would of have more password. The ISP *might* have noticed >the load then....... > >So, does this mean you have to sprint out and replace all SSL right >now? No. It should be included in all future maintenance and upgrades. > >You might want to check critical data flows, but I'd be more worried >about data storage than transmission (if the transmission is encrypted). > > > >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:13 PDT