Tuesday, March 27, 2007


I haven't attacked anybody on my blog for a long time... too long some would say. And, along came anti-SSL post from Pete Lindstrom, which, in my world falls under, "come on, nobody is that dumb ... oh, wait" category.

Most points made there sound more like "SSL is not enough" and only one point that is a bit more anti-SSL. Here it is:

"2) The threat model for sensitive Web data has never been one of sniffing traffic. There are still way too many accessible websites for this to be the case."

Won't SSL be one of the reasons for this? I did say that not using encryption when it is easy and accepted is a mistake and SSL is a perfect example. Indeed, much more data is stolen while in stored state and in bulk, but I would venture a guess that almost nobody would sniff for credit card numbers after compromising a web server due to SSL being commonplace...

More fun discussion is here and here.

Dr Anton Chuvakin