This is not a new threat or attack. Its been well known for years (http://blogs.adobe.com/stateofsecurity/2007/11/dont_be_ssly.html for xample). Hence proposals like ForceHTTPS (https://crypto.stanford.edu/forcehttps/) or some sort of DNSSEC related solution.
That's pretty moronic. Anyone who works in software security (and has a clue) would never put themselves in a position of being personally liable for certifying a piece of software as being "secure".
Likewise, security consulting companies generally only issue "verifiable statements" regarding the software they evaluate. Such statements can include things like "passwords are not stored in plaintext", or "all network traffic is encrypted with SSL". No company with a clue would risk its business on a blanket guarantee that a piece of software is "secure". That's because there is no way to verify a given application is "secure" in the absolute sense anyway.
Yet Mr Schmidt expects developers to certify as such. He clearly has no clue. While he's at it he should demand that automotive engineers certify their cars will never break down, and that police be held personally liable for failing to prevent a crime.
Slashdot Mirror
This is not a new threat or attack. Its been well known for years (http://blogs.adobe.com/stateofsecurity/2007/11/dont_be_ssly.html for xample). Hence proposals like ForceHTTPS (https://crypto.stanford.edu/forcehttps/) or some sort of DNSSEC related solution.
That's pretty moronic. Anyone who works in software security (and has a clue) would never put themselves in a position of being personally liable for certifying a piece of software as being "secure".
Likewise, security consulting companies generally only issue "verifiable statements" regarding the software they evaluate. Such statements can include things like "passwords are not stored in plaintext", or "all network traffic is encrypted with SSL". No company with a clue would risk its business on a blanket guarantee that a piece of software is "secure". That's because there is no way to verify a given application is "secure" in the absolute sense anyway.
Yet Mr Schmidt expects developers to certify as such. He clearly has no clue. While he's at it he should demand that automotive engineers certify their cars will never break down, and that police be held personally liable for failing to prevent a crime.