Comments on: Circling Back Around on SSL

By: RiskAnalys.is

RiskAnalys.is — Thu, 29 Mar 2007 12:07:53 +0000

Whats Your Risk Style, Part II

So if we dont have the quality of data to use an objectivist approach to probability, that leaves two alternatives:
Donn Parkers no risk approach – where we dont acknowledge probability, frequency, or risk at all, or
A …

By: PaulM

PaulM — Wed, 28 Mar 2007 18:17:00 +0000

I can’t believe I’m agreeing with Pete Lindstrom, but here I am.

SSL, as it is implemented on the web, is next to useless.

Don’t throw the baby out with the bathwater, though. SSL, as implemented on corporate wireless networks via EAP-TLS, is good security, authenticating both endpoints to each other as well as users.

And I don’t know how “stuck” we are for those connections where we can influence both endpoints. SSL is easy and ubiquitous on the web, which is part of why it sucks there.

For point-to-point encryption where you can influence both endpoints, I think anything is on the table, even from a compliance perspective.

By: kurt wismer

kurt wismer — Wed, 28 Mar 2007 16:54:07 +0000

“The question at hand is, if SSL were removed would it increase the number of attacks/exploits against a website? ”

i suspect it would decrease the number of attacks against a website…

why do people attack websites? what are attackers trying to get? if they’re trying to get confidential information that people enter into websites then when it suddenly becomes possible to snatch that information right out of the network during transit there won’t be much need to attack the website anymore…