Re: is ssl secure enough ?

From: S. Pidgorny (
Date: 06/21/05

Date: Tue, 21 Jun 2005 21:22:52 +1000


What's good enough for the banks is good enough for you: wrong.

SSL with two factor authentication is generally a well accepted, industry
standard design: yes. Look at the SSL VPNs and security features in those to
find out about industry direction with those.

If I was hired to implement OWA, that would be quickly done, $66 an hour
(*), thanks very much. If I'm hired as a security architect, I must make it
clear to the business that accessing e-mail infrastructure from public,
potentially compromised, potentially designed to compromise will potentially
lead to full compromise of the user's mailbox. I will offer options then and
let the business decide. Dual-factor authentication will be a must and I
have strong preference of smart card, as opposed to OTP. Accessing e-mail
from a secure application sandbox (offered by various SSL VPN vendors and
Citrix) gives more security than just using browser. Access from mobile
devices is an attracvtive option for business, considering wide availability
of Server ActiveSync - and Blackberry is good if you need just e-mail and
calendar on the way. They have to run a project - will the scope be limited
to e-mail access from unmanaged clients, or it makes sense to implement
infrastructure that can be reused for say partner access or line-of-business
applications? Far a CIO, accessing CEO's e-mail from a Coney Island Beach
internet cafe would be the last priority, that's for sure.

Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
(*) All figures and scenarios are fictitious and have little to do with my
current and past employment at Whatever-500 companies.
"James Butler" <> wrote in message
> So what you saying is that if a bank or a big company hired you to
> an SSL encrypted OWA. You would refuse flatly to do the job on the bases
> that their design is insecure? What would you recommend?
> Banks are still and will continue to use SSL based encryption, they are al
> now considering a 2 factor based authentication for all their customers on
> top of the SSL.
> If its good enough for the banks, my friend tell me why it isn't good
> for you? And what would you provide as a replacement design for them? Are
> you going to suggest they should roll out Mobile devices to all their
> customers. I don't know who you bank with, but my bank would simply tell
> where to go.  it's hard enough trying to get them not to charge me 25.00
> each letter they send me for my late loan payments.
> Telling banks to roll out mobile devices would be like telling my local
> Chinese restaurant manager that I want a free meal.  Get real my friend,
> come down to earth.  SSL with two factor authentication is generally a
> accepted, industry standard design. There are some cases or requirement
> where mobile devices is not acceptable.  So say I''m not right without
> elaboration simply doesn't cut it.
> On 20/6/05 11:19 am, in article #UFdnGYdFHA.612@TK2MSFTNGP12.phx.gbl, "S.
> Pidgorny <MVP>" <> wrote:
> > You are not not right - but I still prefer not to access corporate
> > infrastructure from untrusted and potentially hostile endpoints. Even if
> > you're using two-factor authentication (guess in your case that's one of
> > proprietary one-time password generators, right?), you are still
> > the session. That's fine in most cases (secrets are just not there or
> > sensitivity of information is greatly exaggerated) but in some cases it
> > not. Mobile devices are ubiquitous nowadays so I don't see much need for
> > Internet kiosks accessing my network anyway.

Relevant Pages

  • Re: Mixed Mode Authentication in .net 2.0
    ... There are two parts to SSL, which is why this can be confusing. ... encryption and authentication of the server. ... ADFS supports a component called the federation service proxy which is ...
  • Feds Want Banks to Strengthen Web Log-Ons
    ... Internet customers through authentication that goes beyond mere user ... Financial Institutions Examination Council said in a letter to banks ... customers must confirm their identities ... other merchants that are willing to "federate" their Web sites with ...
  • Re: Search not working
    ... Management>Authentication Providers>Edit Authentication, does not provide the ... ability to indicate whether the web application is using SSL or not. ... I changed IIS Authentication for the web site back to Integrated ... I have installed an SSL certificate and required SSL ...
  • Re: Streamlining US currency
    ... all sorts of designs for the same denomination currency. ... For many banks, they contracted their printing of money to a security ... The problem begins in that not everyone used this same portrait for the ... to the fact that the design tells you little about the actual ...
  • Re: Can SSL sessions be compromised?
    ... the proxy machine -- if I enable local cookies for authentication this ... your "SSL server" machine may be trying to catch some simple types of ... information carried by the digital certificates was ... clicking on any RFC number, brings up that RFC in the lower RFC summary ...