Sunday, May 02, 2010

firewall-wizards Digest, Vol 49, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewall best practices (miedaner)


----------------------------------------------------------------------

Message: 1
Date: Sat, 1 May 2010 13:39:54 -0400
From: "miedaner" <miedaner@twcny.rr.com>
Subject: Re: [fw-wiz] Firewall best practices
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <DLEJKHFJGLFILMOIIBLPOEFFCPAA.miedaner@twcny.rr.com>
Content-Type: text/plain; charset="iso-8859-1"


>From my memory banks...

In the early days of the Internet there were two competing proposals to
allow secure transmission of data between two entities that did not know
eachother (no way to build trust exchange encryption keys and params) HTTPS
(aka SSL) SHTTP (aka Secure HTTP)

It is no coincidence that SSL was adopted given that Netscape was the
primary Wenserver in those days. At least that is what the ISP I was at
used in the 1990's. I personally thought SHTTP was a better at least on
paper.

SSL has been plagued with implementation problems for years. On top of the
implementation problems comes that fact that the trust is only good as the
signing CA AND what is in your browser. Beyond that a simple click by the
users can totally topple the entire trust hierarchy - oh well. And don't
forget that and virus can slide in a CA certificate into your browser - I
have written code that will slide a CA certificate into the broswer CA store
silently. Want to get scared, look at the list of CA's, Internediate
signers, etc. in your broswers certificate store.

No love for Verisign here, indeed I have questioned some of there practices.
They seem to really like to make money.

That being said SSL for good or bad helped facilitate E-Commerce for good or
bad. It is ubiquitous today.


ajm


"With all due respect to Paul and Marcus, SSL is NOT crappy! Most bugs
are implementation induced (openSSH or other less known) and the most
known SSL strip vulnerability is not a problem of SSL but rather a user
awareness issue, because if everyone payed attention to the 's' in https
on their browser, that attack wouldn't be so troublesome."


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 49, Issue 1
***********************************************

No comments:

Post a Comment