Hi Lyal, > I find a central issue that often reoccurs when discussing secure protocols > is the definition of where the secure protocol starts and stops - the user, > the application, or some underlying OS/functional library or network device?
Based on the context in which the discussion started, anything outside of MitM attacks and the certificate authentication that prevents is seems out of scope to me, but definately valid points as Jeremy mentioned. > There are usually huge chasms between the business, legal and > technical/security guru perspective on this - but in my experience these > differences significantly influence purchase and implementation budget > decisions. I do agree with you, of course. All of these other things are prerequisite, and are almost always much more important to security than the crypto protocols are. This is why I HATE it when laymen say "I have a secure webserver". What they (almost always) really mean is "I have a webserver that runs SSL/TLS". A safe protocol is just the first step. The reason I've gone off on such a tirade is that so many people use SSL all the time and do it completely wrong. They don't understand the PKI behind it, why they should trust it and how to keep it from being subverted. The key to implementing it correctly is to FIRST understand the PKI behind it (meaning administrator and user education), then work your way up from there (eg. passwords/ACLs on endpoints, etc). cheers, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
