You can't secure what you don't acknowledge.SM

Sunday, November 8, 2009

The real deal with the SSL/TLS flaw

Over the past few days Twitter, security blogs, and news columns have been going crazy with the newly-discovered SSL/TLS flaw. Man, you'd think it's the next WEP exploit discovery. The security sky is falling...we must retreat.

Seriously, is this thing a big deal? Not in my opinion - at least not in all but 99.9% of any given situation. But what do I know? I'm just the security guy that sees network shares sharing out entire drives full of sensitive files, firewalls with default configurations and no passwords, smartphones without a trace of security enabled, laptops with supposedly "nothing of value" that end up having thousands PII records yet no semblance of drive encryption, database servers without passwords, physical security cameras and data center control systems with default passwords that anyone on the network can mess around, operating systems missing critical patches that are easily-exploited using free tools, Web sites/apps with gobs of XSS and weak authentication controls, and on and on and on and on.

If you want to pick nits and chase the rabbit down the infinite path of limited return, sure, it's a big deal. Otherwise, chances are you've much bigger issues on your hands.

No comments:

Post a Comment