Re: Cert expired - ssl still working - whats the risk?
- From: "Alun Jones" <alun@xxxxxxxxxxxxx>
- Date: Thu, 8 Nov 2007 13:51:25 -0800
"fpjr843" <fpjr843@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F4ED5152-9565-4955-B06E-FE267693510C@xxxxxxxxxxxxxxxx
Looking for some feedback from the folks here that I can give to senior
managment.
My employees use a web-based application that is hosted by one of our
partners. Staff enter confidential and sensitive information on this web
site. Yesterday the digital certificate expired and the site
administrators
are not reacting very quickly to get it renewed. I, as "big I.T.
security",
have blocked my employees from accessing the web site. But now the
manager
of the program is painting me as the stronghanded big brother. Its
stopping
productivity and business flow. I realize that even though the cert
expired
SSL is still working and encrypting the data. My sense is the only thing
lost by not having a valid cert is the ability to know for sure what web
site
we are talking to. So what do you all think? Did I do the proper thing
by
blocking access or should I relax a little?
SSL provides a few key things:
1. Authentication of the server - a guarantee that the host of the site has
proven to the satisfaction of an entity you trust that they are entitled to
host that site.
2. Encryption of data. [Yes, this can be disabled, but that's generally
something only a developer would do when testing.]
3. Integrity of data - from start to finish, no data has been dropped or
re-ordered, and that the finish itself is the true finish of the data, and
it hasn't been truncated by an attacker forging a closure.
4. Optional authentication of the client.
So, yes, you have lost item 1, because the host has not been able to prove
its identity recently enough to satisfy the CA's requirements for regular
re-identification. If you're on an internal system accessing another
internal system through an internal network with addresses provided by
internal DNS servers, then you probably have little to worry about. [If that
doesn't sound like a ringing endorsement, it's deliberate.]
But what else do you lose, if you give your employees instructions on how to
ignore the security message and simply click through?
You will lose your employees' cooperation in the security of your system.
You will have _trained_ your employees that it's acceptable to ignore a
security warning, and to simply click straight through it.
You will have also trained your IT department that renewing of certificates
is not an important task, and can be deferred, because "everyone just clicks
through anyway".
It's not the technical issue that is your biggest problem, right now, it's
the fact that you're being asked to tell your users and your staff that
security warnings are unimportant and can be ignored. That's an awareness
campaign that will take hundreds of expensive security awareness posters and
training sessions over several years to counteract, if you ever can.
Alun.
~~~~
.
- Prev by Date: RE: Email trace
- Next by Date: Re: COMPUTER "IP ADDDRESS"
- Previous by thread: Re: eploy.akamaitechnologies.com
- Next by thread: Re: Cert expired - ssl still working - whats the risk?
- Index(es):
Relevant Pages
|
