It is hard to ignore the recent news about government sponsored
internet surveillance campaigns, which are alleged to involve
decrypting SSL traffic. In light of these news, should you do
anything differently? Does it matter to your network and how? Even
if today only a small group possesses the knowledge and resources to
decrypt SSL, chances are that this secret will leak like so many and
the resources required to apply the techniques will only get cheaper
and in turn become available to well funded advisories like
organized crime. The information once decrypted may also be at risk
from being compromised by anyone who compromised the organization
that now holds the data. So does it matter?
First of all, I don't think there is "proof" at this point that SSL
in itself has been broken. SSL and the encryption algorithms it
negotiates have seen many implementation issues in the past, and it
is fair to assume that broken implementations, bad random number
generators and sub-optimal configurations make breaking "real live"
SSL a lot easier then it should be based on the strength of the
underlying algorithms. Additionally, in many high profile attacks,
SSL wasn't the problem. The end point or the SSL infrastructure was
compromised instead and as a result, the encryption algorithm didn't
matter.
via [1]ISC Diary | SSL is broken. So what?.
__________________________________________________________________
My original entry is here: [2]ISC Diary | SSL is broken. So what?. It
posted Tue, 10 Sep 2013 00:09:12 +0000.
Filed under: encryption, InfoSec, SSL,
References
1.
https://isc.sans.edu/diary/SSL+is+broken.+So+what%3F/16529
2.
https://www.prjorgensen.com/2013/09/09/isc-diary-ssl-is-broken-so-what/
