Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] 19,000 person company passwords stolen via HTTPS

The problem isn't encryption or lack thereof. The problem is that the 
way we handle authentication is fundamentally broken. Centralized 
authentication is literally an all eggs in one basket deal. Steal the 
basket and you get all the eggs.

The problem is compounded by a bass-ackwards verification system. X.509 
was designed for identifying individual users to a group of services -- 
that is, many users to a few centralized services. SSL and TLS do it 
backwards, identifying a few centralized services to many users. It 
requires blind trust that a few centralized authorities have not been 
compromise, have not had their baskets of eggs stolen from them.

The problem is further compounded by the belief that encrypting 
everything will save the world and make everything better. It won't. 
Encrypting a broken authentication system and a bass-ackwards 
verification system will not make them any less broken and bass-ackwards.

-- 
Rich P.
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org