Got something to say?

July 10, 2007

Cert debate

Two experts, I assume they are, to have opinions printed in a magazine I regard very highly (it's one of the few I actually subscribe to), weighing in on "high assurance" certs [April 2007, Debate], the abomination formerly known as EV SSL, both correct, and both missing or avoiding the obvious: It's not only a marketing "thingy," it's just a cash cow...a search for a new revenue stream.

In addition to being tagged as "certifiably useless," based on a Stanford study that concluded: "The only real information a user will get from an EV certificate is that a particular website ponied up extra cash to get one." There are obvious questions that we should all ask: What is the definition of a Trusted Third Party Certificate Authority?

Was it simply for secure communications? Hogwash. It takes two or three clicks of the mouse to install a private certificate authority (CA) in IIS (likely just as simple for all other platforms), and we can all have encrypted traffic flowing.

Wasn't it so that we could have some third party who we could trust? Was it technology that failed or was it the process? Methinks it's the latter. So will a "product" solve a process issue or is the process, in fact, the new product? But the "process" was their whole point for being, wasn't it?

Scott Harris: "...Ignorance or inattentiveness...we were all teaching...the yellow padlock." Exactly, and confusing the issue even more with a green padlock doesn't help. What's next, a padlock wrapped in chains — an "even better SSL," or perhaps encased in barbed wire for "the ultimate SSL"? Sigh....

Ok, so one study by Stanford shouldn't be taken as the ultimate source of information. Fine, if we really want EV SSL to "cure" phishing, it's simple. Stop selling "legacy" SSL certs. Then you'll have more credibility, and no confusion, since no one can have a "padlock" (of any color) without being validated properly. Only legitimate businesses can have a "padlock." Add some accountability, like offering some guarantee to the consumer if for some reason an illegitimate business manages to obtain a cert. Offer the same "insurance" provided to the cert holders.

Then we can all join Scott Harris to "encourage (even teach) to only do business with sites that have a padlock," not green, not yellow nor white, just a padlock.

When cert providers do that, I'll stop calling it a cash grab.

Sorry, if the excuse is "what about the smaller people"?

What about them? Validate them, give tiered pricing, period. We don't need a green bar for that to happen.

Ed,
via email

 

Conflict of interest?

I am writing with reference to the response by Mr. Blane Perry from the Enterprise office of the State of Michigan regarding his scathing and illusory accusations relating to Razor Threat and Dr. Stephenson [Letters, May]. Mr. Perry is obviously not in touch with reality and should concentrate on the problems with the state's enterprise and not writing fictional responses to something he has no familiarity with.

Mr. Perry appears enamored with fabricating fictional data on highly credible inventors and entrepreneurs that this state so desperately needs. Mr. Perry is unable to realize the value which this new and exclusive product provides to the industry. Instead, he has decided to bash ingenuity and criticize intelligence that could assist this floundering state in protecting its information system assets and the personal information for those citizens that have decided to stay here. Not to mention the many jobs this product could ultimately create right here in Michigan.

D.C. Hoover,
CEO, ASI Consulting Group

 

Big manage on campus

Just read your article about the University of Colorado hacking incident [scmagazine.com, "Hackers exploit unpatched flaw, disabled firewall to access personal info of 45,000 University of Colorado

students," May 23]. What caught my attention was the finger pointing at the "smaller IT staff 'with more general sets of responsibilities' than the university's central IT department." The reality is network security technology has gotten real complex and tends to be outside the purview of most but the Fortune 2000 IT departments. Rather than trust/blame the often overtaxed internal human resources that lack the required expertise, organizations like the University of Colorado should take a hard look at outsourcing to a managed service provider (MSP) that specializes in network security. It's simply unrealistic and unfair to expect small IT departments to cover and manage all the nuances of network security.

Ray George
via email

 

Use of SSNs

Regarding your article, "After myriad data breaches, feds to cut use of Social Security numbers" [scmagazine.com, May 24], if it weren't so serious and hurting so many people, I'd find this whole thing deliciously ironic. If my memory serves me, the original enabling legislation for the social security system [Social Security Act, August 1935] explicitly forbade using the SSN as an identifier for anything except U.S. Social Security Administration interactions. Later, that was either ignored or amended and the SSN became the de facto national identifier. Et voila! Here we are.

Doug "Lefty" Franklin,
NutDriver Racing

- The opinions expressed in these letters are not necessarily those of SC Magazine.

prestitial ad