Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] 19,000 person company passwords stolen via HTTPS



> On Oct 6, 2015, at 10:52 AM, Rich Pieri <richard.pieri at gmail.com> wrote:
> 
> The problem isn't encryption or lack thereof. The problem is that the way we handle authentication is fundamentally broken. Centralized authentication is literally an all eggs in one basket deal. Steal the basket and you get all the eggs.

You are describing one specific approach, not all authentication systems have the problem you outline. 

> The problem is compounded by a bass-ackwards verification system. X.509 was designed for identifying individual users to a group of services -- that is, many users to a few centralized services. SSL and TLS do it backwards, identifying a few centralized services to many users. It requires blind trust that a few centralized authorities have not been compromise, have not had their baskets of eggs stolen from them.
> 
> The problem is further compounded by the belief that encrypting everything will save the world and make everything better. It won't. Encrypting a broken authentication system and a bass-ackwards verification system will not make them any less broken and bass-ackwards.

It may not make everything better - but you will can cut down on the MiTM and increase the noise. Increasing the noise will go along way to make an adversaries job more difficult.

Anthony



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org