[Discuss] free SSL certs from the EFF

[bill at horne.net (Bill Horne)]

On 12/5/2014 10:59 AM, Richard Pieri wrote:
> On 12/4/2014 11:42 PM, John Abreau wrote:
>> On the other hand, if you accept the bad guy's poisoned DNS data:
>
> Long story short: Joe is screwed either way. Or I am depending on who 
> takes the fall. If someone is reprimanded or fired or even killed 
> because a security system is working as designed? That's a terrible 
> system.
>

No offense, but Joe might not have a choice: the hotel wants him to 
click on a user agreement, and so the box they've bought will intercept 
every DNS call and redirect it to their consent page before allowing Joe 
to connect to the net. I can't say if that's going to happen at 
Starbucks or [whereever], but it might.

I don't know if that agreement gives the hotel/mega-corp permission to 
monitor emails as well as collect the click list, but MITM attacks 
require Joe to agree to accept an invalid certificate at some point, and 
it's possible to disable his ability to do so. End-to-end email 
encryption would prevent any monitoring of the email, and a corporate 
VPN would obviate the problem altogether. Some companies avoid the issue 
altogether by entering fixed IP addresses in VPN scripts - the only 
matching key is/should be at the VPN box/server, so there's no loss of
flexibility, and IP addresses are cheap enough if the company wants to 
provide a backup. In any case, Joe's logs will verify that he made the 
attempt.

Of course, theory and practice often differ in security, and we've all 
met mister "JustDoItOrYou'reFired" who likes to tell us to break the 
rules, but that isn't a technical problem. A well designed security 
suite will give Joe the option of sending his reports by encrypting them 
first with a few key clicks.

FWIW. YMMV.

Bill Horne

-- 
E. William Horne
339-364-8487