Slashdot Mirror

← Back to Stories (view on slashdot.org)

Father of SSL Talks Serious Security Turkey

Posted by Unknown on from the trust-me-i-invented-a-cipher-system dept.

coondoggie writes with an excerpt from a Network World article: "SSL/TLS, the protocol that protects security of e-commerce, has taken a beating lately, with news items ranging from the violation of certificate authorities to the discovery of an exploit that beats the protocol itself. But despite the exploit ... and the failures of certificate authorities such as Comodo and DigiNotar that are supposed to authenticate users, the protocol has a lot of life left in it if properly upgraded as it becomes necessary, says Taher Elgamal, CTO of Axway and one of the creators of SSL."

10 of 74 comments (clear)

  1. Who needs SSL? by Anonymous Coward · · Score: 2, Funny

    I don't have anything to hide!

    1. Re:Who needs SSL? by wsxyz · · Score: 2

      I suppose then the fact that you have nothing to hide would be something to hide.

    2. Re:Who needs SSL? by cos(0) · · Score: 2

      That's not very bright—assuming you're this card's owner, and the info is correct. This info will now come up on a cursory Google search, and if your credit provider learns that you wilfully published this info, they'll close your account because you've violated the cardholder agreement. The law that provides for reimbursement of unauthorized charges does not extend to people shouting their credit card info from the rooftops and expecting a bailout later.

  2. It does its job by faldore · · Score: 2

    I am more worried about my ISP packet sniffing my traffic than a black hat.
    As long as the SSL is good enough to keep my ISP ignorant, it's good enough for me.

  3. Re:Isn't the exploit for an old version of TLS? by magamiako1 · · Score: 2

    In Windows land:

    IIS 7.5 (2008R2) and at least Windows 7 are required to support TLS 1.1 and 1.2.

    In Linux Land:

    Apache's mod_ssl does not support TLS 1.1 and 1.2, you need to use mod_gnutls, which is not default on many webservers.

  4. tl;dr: new trust model rumor by colfer · · Score: 2

    He hears rumors in Calif. of a new trust system to complement PKI. That's all he will say when the interviewer questions him repeatedly about a solution to the problem he goes on at length about: that browsers have PKI roots built in. I agree it's a terrible system, but asking the clueless user to select trusted roots would have its own problems, in, say, Iran. Or more precisely, clueless users in the US make it hard to deploy a system for careful users in Iran. The UI has to be both easy & difficult.

  5. With all these different browser versions... by Synerg1y · · Score: 3, Interesting

    Why do none support TLS 1.1, firefox is releasing new versions of its browser on an insane schedule, IE is on version 9, chrome is moving along, yet no tls 1.1? Is there something I'm missing here?

    Of all the useless features they've implemented in the past year, why not secure the browser? I remember when firefox was proud of it's security.

    Then again good luck replacing ssl, what are viable alternatives? Pointless discussion if there aren't any...

    Also read carefully about BEAST, it's not a remote exploit, so you can't just click and choose the stream you want to sniff, it's a ways more complicated and requires a high level of trust on the compromised machine.

    1. Re:With all these different browser versions... by AK+Marc · · Score: 2

      I checked the Opera I'm using and it allows me to use TLS 1, TLS 1.1, and TLS 1.2, and I can even disable the older ones to make sure I didn't auto-failback to an insecure TLS. Just because Firefox/IE doesn't do it doesn't mean it's not already out there in a free browser.

      --
      Learn to love Alaska
    2. Re:With all these different browser versions... by DrXym · · Score: 2

      It's a chicken and egg issue and one that browsers need to force. If the major browser vendors were to multilaterally declare that sites had a 18 month period of grace to support TLS 1.1 / 1.2 after which SSL 3.0 and TLS 1.0 would default to off, then you can sure as hell bet things would start kicking up a gear. Meanwhile browser vendors need to actually implement TLS 1.1 and 1.2 so they can give sites something to test against.

  6. Pledging for automatic updates? by praseodym · · Score: 2
    The guy is pledging for automatic updates:

    We have to build a mechanism to automatically update things. We did not do that. The right way to design, if we were to update things an updating protocol that automatically updates itself so when the next version comes up it knows where to find the next version rather than having to wait for a Windows update or whatever.

    Actually, newer windows versions (Vista and later) use Microsoft's online Certificate Trusts Lists which allows exactly this. Microsoft revoked the DigiNotar certificate without issuing a real Windows update:

    On August 29, 2011, Microsoft removed the trust from one DigiNotar root certificate by updating the Microsoft CTL. Why is Microsoft releasing an update? Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Windows XP and Windows Server 2003 do not use the Microsoft Certificate Trust List to validate the trust of a certification authority. As a result, an update is needed for all editions of Windows XP and Windows Server 2003 to protect customers.

    (http://technet.microsoft.com/en-us/security/advisory/2607712)