Re: is ssl secure enough ?
From: S. Pidgorny
Date: Tue, 21 Jun 2005 21:22:52 +1000
What's good enough for the banks is good enough for you: wrong.
SSL with two factor authentication is generally a well accepted, industry
standard design: yes. Look at the SSL VPNs and security features in those to
find out about industry direction with those.
If I was hired to implement OWA, that would be quickly done, $66 an hour
(*), thanks very much. If I'm hired as a security architect, I must make it
clear to the business that accessing e-mail infrastructure from public,
potentially compromised, potentially designed to compromise will potentially
lead to full compromise of the user's mailbox. I will offer options then and
let the business decide. Dual-factor authentication will be a must and I
have strong preference of smart card, as opposed to OTP. Accessing e-mail
from a secure application sandbox (offered by various SSL VPN vendors and
Citrix) gives more security than just using browser. Access from mobile
devices is an attracvtive option for business, considering wide availability
of Server ActiveSync - and Blackberry is good if you need just e-mail and
calendar on the way. They have to run a project - will the scope be limited
to e-mail access from unmanaged clients, or it makes sense to implement
infrastructure that can be reused for say partner access or line-of-business
applications? Far a CIO, accessing CEO's e-mail from a Coney Island Beach
internet cafe would be the last priority, that's for sure.
-- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- (*) All figures and scenarios are fictitious and have little to do with my current and past employment at Whatever-500 companies. "James Butler" <firstname.lastname@example.org> wrote in message news:BEDCABBC.48A4email@example.com... > So what you saying is that if a bank or a big company hired you to implement > an SSL encrypted OWA. You would refuse flatly to do the job on the bases > that their design is insecure? What would you recommend? > > Banks are still and will continue to use SSL based encryption, they are al l > now considering a 2 factor based authentication for all their customers on > top of the SSL. > > If its good enough for the banks, my friend tell me why it isn't good enough > for you? And what would you provide as a replacement design for them? Are > you going to suggest they should roll out Mobile devices to all their > customers. I don't know who you bank with, but my bank would simply tell me > where to go. it's hard enough trying to get them not to charge me 25.00 for > each letter they send me for my late loan payments. > > > Telling banks to roll out mobile devices would be like telling my local > Chinese restaurant manager that I want a free meal. Get real my friend, > come down to earth. SSL with two factor authentication is generally a well > accepted, industry standard design. There are some cases or requirement > where mobile devices is not acceptable. So say I''m not right without > elaboration simply doesn't cut it. > > On 20/6/05 11:19 am, in article #UFdnGYdFHA.612@TK2MSFTNGP12.phx.gbl, "S. > Pidgorny <MVP>" <firstname.lastname@example.org> wrote: > > > You are not not right - but I still prefer not to access corporate > > infrastructure from untrusted and potentially hostile endpoints. Even if > > you're using two-factor authentication (guess in your case that's one of the > > proprietary one-time password generators, right?), you are still exposing > > the session. That's fine in most cases (secrets are just not there or > > sensitivity of information is greatly exaggerated) but in some cases it is > > not. Mobile devices are ubiquitous nowadays so I don't see much need for > > Internet kiosks accessing my network anyway. >