Comments on: Has SSL Outlived its Usefulness? (Which it never really had…)

By: Spire Security Viewpoint

Spire Security Viewpoint — Wed, 28 Mar 2007 01:28:42 +0000

Circling Back Around on SSL

There’s been some constructive feedback out there on my points about SSL. Practically speaking, it doesn’t matter whether SSL is protecting us or not since auditors and regulators typically expect it. Therefore, it doesn’t really matter what we (I) thi…

By: .:Computer Defense:.

.:Computer Defense:. — Tue, 27 Mar 2007 02:56:52 +0000

SSL == Useless

Pete Lindstrom posted over on the Spire Security Viewpoint asking, and answering, the question Has SSL Outlived its Usefulness. He made the following four statements:
1) Users read way too much into its functional value.
2) The thr…

By: Michael R. Farnum

Michael R. Farnum — Mon, 26 Mar 2007 04:41:59 +0000

1) Agreed
2) Might the model shift without SSL?
3) Kinda confused there (not hard to do with me).
4) If you are going to have ISP’s block it, then I can maybe see your argument. But if not, taking it away from the good guys does not keep bad guys from using it.

By: Pete

Pete — Sun, 25 Mar 2007 17:48:54 +0000

@Mark – thanks for the clarification. So, does that mean you agree with me?

By: Mark Curphey

Mark Curphey — Sun, 25 Mar 2007 16:47:21 +0000

On point 4, I think its also worth discussing how SSL is being used by malware. A valud cert does nothing but validate who someone is, it doesn’t (at least without human intervention) decide if you should trust the person or host. Getting a valid cert is not hard and therefore installing malware over SSL and avoiding the spyware sniffers if also becoming more common.