BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] 19,000 person company passwords stolen via HTTPS
- Subject: [Discuss] 19,000 person company passwords stolen via HTTPS
- From: agabriel2 at gmail.com (Dr. Anthony Gabrielson)
- Date: Tue, 6 Oct 2015 16:48:22 -0400
- In-reply-to: <5613E03B.5060900@gmail.com>
- References: <BLUPR04MB369931CAF23BF8AD78B3003DC370@BLUPR04MB369.namprd04.prod.outlook.com> <5613E03B.5060900@gmail.com>
> On Oct 6, 2015, at 10:52 AM, Rich Pieri <richard.pieri at gmail.com> wrote: > > The problem isn't encryption or lack thereof. The problem is that the way we handle authentication is fundamentally broken. Centralized authentication is literally an all eggs in one basket deal. Steal the basket and you get all the eggs. You are describing one specific approach, not all authentication systems have the problem you outline. > The problem is compounded by a bass-ackwards verification system. X.509 was designed for identifying individual users to a group of services -- that is, many users to a few centralized services. SSL and TLS do it backwards, identifying a few centralized services to many users. It requires blind trust that a few centralized authorities have not been compromise, have not had their baskets of eggs stolen from them. > > The problem is further compounded by the belief that encrypting everything will save the world and make everything better. It won't. Encrypting a broken authentication system and a bass-ackwards verification system will not make them any less broken and bass-ackwards. It may not make everything better - but you will can cut down on the MiTM and increase the noise. Increasing the noise will go along way to make an adversaries job more difficult. Anthony
- Follow-Ups:
- [Discuss] 19,000 person company passwords stolen via HTTPS
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] 19,000 person company passwords stolen via HTTPS
- References:
- [Discuss] 19,000 person company passwords stolen via HTTPS
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] 19,000 person company passwords stolen via HTTPS
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] 19,000 person company passwords stolen via HTTPS
- Prev by Date: [Discuss] 19,000 person company passwords stolen via HTTPS
- Next by Date: [Discuss] Fwd: Hey FCC, Don't Lock Down Our Wi-Fi Routers | WIRED
- Previous by thread: [Discuss] 19,000 person company passwords stolen via HTTPS
- Next by thread: [Discuss] 19,000 person company passwords stolen via HTTPS
- Index(es):