Re: CRIME Re: cryptography

From: Chris Tilt (chris@private)
Date: Thu Apr 18 2002 - 22:03:39 PDT

  • Next message: Toby: "Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)"

    The analogy offered by the IPCop FAQ is that use of SSL or SSH without good
    system protection is like using an armored car to move money to a bank 
    that is
    made of cardboard.
    
    Cheers, Chris
    
    Glossary:
    IPCop is a linux based firewall system. SSL is Secure Sockets Layer.
    SSH is Secure Shell. FAQ is Frequently Asked Questions.
    
    Zot O'Connor wrote:
    
    >A few points to add to the fray:
    >
    >1)  Things like SSL are *minimum* steps.  If a site does not even have
    >SSL up and running, it tells me volumes about their *lack* of skill. 
    >Having it does not mean the credit card is not stored on a flat file
    >available via network neighborhood, buts its a start.
    >
    >2)  Even weak cryptography raises the bar phenomenally.  I have done
    >clean up jobs on boxes that has every single password for an ISP based
    >on POP, FTP and telnet passwords.  It was in a nice neat formatted
    >file.  Had the information been encrypted, it would have raised the bar.
    >
    >3)  So bad encryption worst problem is a false sense of security.  Had
    >the script kiddees in the box in #2 had a ssh cracker, ssl crack, or
    >other, they would of have more password.  The ISP *might* have noticed
    >the load then.......
    >
    >So, does this mean you have to sprint out and replace all SSL right
    >now?  No.  It should be included in all future maintenance and upgrades.
    >
    >You might want to check critical data flows, but I'd be more worried
    >about data storage than transmission (if the transmission is encrypted).
    >
    >
    >
    >
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:13 PDT