Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Still Mostly Misunderstood, Even By the Pros

Posted by timothy on from the duh-it's-encrypted dept.

An anonymous reader writes "People still don't understand SSL. This isn't much of a surprise... no one expects that grandma and grandpa know what SSL is and what it does. What is surprising and downright scary is that most IT professionals don't understand SSL, and many consider it to be the be-all, end-all of security in their organization. With all the tools out there to manipulate SSL connections, and the browser vendors unable to settle on a single method of showing if a site is secured by SSL or not, is it any wonder that no one gets it?"

7 of 292 comments (clear)

  1. You're doing it wrong by QuantumG · · Score: 4, Informative

    If you want to write a pretentious article about how people don't understand security of the interwebs, at least get the name right. That's right, SSL hasn't been considered "secure" for at least a decade.

    --
    How we know is more important than what we know.
    1. Re:You're doing it wrong by something_wicked_thi · · Score: 5, Informative

      If you want to write a pretentious response to a pretentious article, try reading the source you're linking to. SSL v2 hasn't been secure for a while, but SSL v3 is fine.

    2. Re:You're doing it wrong by muckracer · · Score: 3, Informative

      > Even SSL was handicapped for years by the USA's insane 80-bit limit for SSL
      > in exported software.

      It was 40-bits. Agree with your point...just sayin'.

  2. You didn't get it right either... try "HTTPS" by WD · · Score: 4, Informative

    The correct term is "HTTPS". HTTPS, which can use various versions of SSL or TLS, is still mostly understood. Even by the pros.

  3. Re:and WHY doesn't Slashdot use HTTPS? by pjt33 · · Score: 5, Informative

    How would HTTPS help? You'll still probably do an unencrypted DNS lookup for idle.slashdot.org.

  4. Bug 215243 by tepples · · Score: 5, Informative

    By the way I use cacert to generate my certificates; it should be inlcuded in the default Firefox certification authorities list. I suspect there is money involved in getting into that list though.

    CAcert failed a DRC audit. Bug 215243 comment 158 has the details.

  5. Re:As usual, no one wants to be the leader. by Chrisq · · Score: 3, Informative

    In general Java devs know ZIP about anything out side of a JAR file.

    They may not even know that JAR files are ZIP format.