[Discuss] 19,000 person company passwords stolen via HTTPS
Dr. Anthony Gabrielson
agabriel2 at gmail.com
Tue Oct 6 16:48:22 EDT 2015
> On Oct 6, 2015, at 10:52 AM, Rich Pieri <richard.pieri at gmail.com> wrote:
>
> The problem isn't encryption or lack thereof. The problem is that the way we handle authentication is fundamentally broken. Centralized authentication is literally an all eggs in one basket deal. Steal the basket and you get all the eggs.
You are describing one specific approach, not all authentication systems have the problem you outline.
> The problem is compounded by a bass-ackwards verification system. X.509 was designed for identifying individual users to a group of services -- that is, many users to a few centralized services. SSL and TLS do it backwards, identifying a few centralized services to many users. It requires blind trust that a few centralized authorities have not been compromise, have not had their baskets of eggs stolen from them.
>
> The problem is further compounded by the belief that encrypting everything will save the world and make everything better. It won't. Encrypting a broken authentication system and a bass-ackwards verification system will not make them any less broken and bass-ackwards.
It may not make everything better - but you will can cut down on the MiTM and increase the noise. Increasing the noise will go along way to make an adversaries job more difficult.
Anthony
More information about the Discuss
mailing list