Thoughts on the SSL/TLS – Beast
It seems like every day, there are some vulnerability or crack announced on the geek news-outlets.
For some reason, the recent publication of an exploit of a flaw in the SSL/TLS implementation in some versions, made me extra curious and it made me think a little harder about this whole security business.
My basic premise for thinking about security, is that disclosure is good. Disclosure in a morally fashion is even better.
I prefer it when the researchers (think scientists, but also your teen-in-basement-with-pizza-and-coke), figure out a vulnerability, notify the people and/or organizations behind the product, be it soft or hardware and give them some time to fix it.
If they decide not to fix it in a timely manner, i find it totally acceptable for the invididual/organization to go public with it. Wanting to keep your friendly net-neighbor safe is an honorable thing in my mind.
Assuming that a solution becomes readily available, how long will it take before it goes into effect and have any real impact?
Apparently the flaw that BEAST™ exploits have been known to several people for a long time, but it was thought unreasonable to be exploited, so many entities never forced the fix into their products and hence down to the end user.
This begs the question: If the people with the know-how, choose not to make decisions with some steep consequences in order to improve security, how will the general end-user ever even know about it? And if they dont know about it, theres no way they can help themselves in any way.
Even if you are a top-dog sysadmin, reading all the security related material you can, being notified by several systems, something like this will never make it to your daily security-inbox.
Vendors of all shapes and sizes, my plea to you is this: Make the right choices, even if something else breaks. Tell your users about why it breaks, and why you have made those choices.
As end-users will never be as smart about security as you are, they will rely on you to make those choices, and in this day and age, im sure they will understand.