[Discuss] free SSL certs from the EFF
Bill Horne
bill at horne.net
Sun Dec 7 14:02:25 EST 2014
On 12/5/2014 10:59 AM, Richard Pieri wrote:
> On 12/4/2014 11:42 PM, John Abreau wrote:
>> On the other hand, if you accept the bad guy's poisoned DNS data:
>
> Long story short: Joe is screwed either way. Or I am depending on who
> takes the fall. If someone is reprimanded or fired or even killed
> because a security system is working as designed? That's a terrible
> system.
>
No offense, but Joe might not have a choice: the hotel wants him to
click on a user agreement, and so the box they've bought will intercept
every DNS call and redirect it to their consent page before allowing Joe
to connect to the net. I can't say if that's going to happen at
Starbucks or [whereever], but it might.
I don't know if that agreement gives the hotel/mega-corp permission to
monitor emails as well as collect the click list, but MITM attacks
require Joe to agree to accept an invalid certificate at some point, and
it's possible to disable his ability to do so. End-to-end email
encryption would prevent any monitoring of the email, and a corporate
VPN would obviate the problem altogether. Some companies avoid the issue
altogether by entering fixed IP addresses in VPN scripts - the only
matching key is/should be at the VPN box/server, so there's no loss of
flexibility, and IP addresses are cheap enough if the company wants to
provide a backup. In any case, Joe's logs will verify that he made the
attempt.
Of course, theory and practice often differ in security, and we've all
met mister "JustDoItOrYou'reFired" who likes to tell us to break the
rules, but that isn't a technical problem. A well designed security
suite will give Joe the option of sending his reports by encrypting them
first with a few key clicks.
FWIW. YMMV.
Bill Horne
--
E. William Horne
339-364-8487
More information about the Discuss
mailing list