Insecurity in WWW oriented security
I wanted to share an experience with folks on the list that points to the relavince of what c'punks have been doing looking at the Web encryption & security issues like we have. I was approached by a headhunter yesterday who wanted me to do the security for a hospital connected to the net. Straightforward stuff one would think. My inital reaction was fairly positive, and I responded that I didn't think I would have much trouble with the task as long as they had a resonable setup internaly etc. etc. (I'm not a big beliver in hard & crunchy -> soft & chewey when your accounting or other critical data is part of what can be chewed up...) Well at that point it got interesting. He told me that said client was asking as a part of their requirments that they be able to do "Secure transactions using HTML & Netscape". My reaction was somwehere allong the lines of "What do they mean by `secure transactions'!! Are they aware that the state of encryption for WWW is really poor at best right now? I told him that I thought this might not be such a hot idea, and that my interest in this whole thing would hinge totaly upon exactly what sorts of transactions they wanted to do using web servers and the like. And that depending on the answer to that, I would or would not be intrested in the whole thing. The reason for my hesitation? I don't want blood on my hands over a setup that is by definition currently in a state of very poor security. And right now I have no idea if they want to transfer MasterCard's or MRI's. But I do know that depending on what it is they're planning, it might not be a place *I* want to be. Besides being damned frightening, this points to a trend in network evolution. Organizations are planning these sorts of moves and utilizations of the technology with little thought to the possible consequences of it. And if the FBI ends up busting some psyco in the future for tampering with the transactions of MRI data, x-rays, or any of a million other possibilities, I seriously doubt that Loius Freeh will be stepping forward to remind us all of the need for robust security. Instead, it is far more likely that he would argue that it was another example of the need for increased monitoring of the internet and controls on cryptographic solutions. I found aspects of the whole conversation, juxtaposed with what has been going on lately with the list chilling to say the least. Tim Scanlon ________________________________________________________________ tfs@vampire.science.gmu.edu (NeXTmail, MIME) Tim Scanlon George Mason University (PGP key avail.) Public Affairs I speak for myself, but often claim demonic possession
[Story about hospital wanting to use "secure" Netscape deleted.] On a similar note, just after the unssl announcement, I got email from someone who works in network security at the Pentagon, saying that users in his domain were "expressing their desires to use Netscape to do some sensitive things." I wonder if anyone's packet-sniffing the Pentagon? - Ian "I mean _besides_ the NSA."
participants (2)
-
iagoldbe@csclub.uwaterloo.ca -
Tim Scanlon