On Fri, Aug 13, 2010 at 09:32:57AM -0700, Jeff Simmons wrote:
> It wouldn't surprise me if there's been some blowback from the
> adoption of PCI-DSS (Payment Card Industry Data Security
> Standards). As someone who has had to help several small to medium
> size businesses comply with these 'voluntary' standards, the irony
> of the fact that the big banks that require them often aren't in
> compliance themselves hasn't escaped my notice.

In the past month, we've had several customers at work suddenly
insist that we make modifications to their firewalls and/or load
balancers to redirect *all* incoming HTTP traffic to HTTPS (which of
course isn't always entirely sane to do on proxying devices, but
they apparently don't trust their server admins to maintain an HTTP
redirect). Most of them cited requirements from their PCI-DSS
auditors. One apparently was outright told that their redirects were
"a security problem" because they presented an open socket on port
80, and they needed to be refusing all HTTP to their servers at the
firewall. I think we gave them sufficient wording to convince their
auditor that blocking access to the redirect itself wasn't going to
do anyone any good.
{ IRL(Jeremy_Stanley); PGP(97AE496FC02DEC9FC353B2E748F9961143495829);
SMTP(fu...@yuggoth.org); IRC(fu...@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fu...@yuggoth.org);
MUD(kin...@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to