[Discuss] 19,000 person company passwords stolen via HTTPS
Rich Pieri
richard.pieri at gmail.com
Tue Oct 6 10:52:43 EDT 2015
The problem isn't encryption or lack thereof. The problem is that the
way we handle authentication is fundamentally broken. Centralized
authentication is literally an all eggs in one basket deal. Steal the
basket and you get all the eggs.
The problem is compounded by a bass-ackwards verification system. X.509
was designed for identifying individual users to a group of services --
that is, many users to a few centralized services. SSL and TLS do it
backwards, identifying a few centralized services to many users. It
requires blind trust that a few centralized authorities have not been
compromise, have not had their baskets of eggs stolen from them.
The problem is further compounded by the belief that encrypting
everything will save the world and make everything better. It won't.
Encrypting a broken authentication system and a bass-ackwards
verification system will not make them any less broken and bass-ackwards.
--
Rich P.
More information about the Discuss
mailing list