[GRLUG] FF 33 & SSL

Mark Farver mfarver at mindbent.org
Wed Nov 5 14:54:54 EST 2014


On Wed, Nov 5, 2014 at 1:54 PM, Michael Mol <mikemol at gmail.com> wrote:
> And regarding negligence....LVL's servers in question sound like
> they're intranet, not public-facing. If the strength of those certs is
> an issue (meaning he faces MITM on the way there), then he's got a
> MITM attacker on his internal network, which is a much bigger issue on
> its own than a weak cert on an intranet server.

No, if you use TLS with weak certs that is worse than using no TLS at
all.  You are giving your customers and yourself a false sense of
security.  Not following industry standard security practices can be
regarded as negligence.  Especially since the weakness of <1024bit
certs has been well known for close to a decade.

In the age of APT and frequently compromised clients having a network
with a crunchy exterior and a soft gooey center is not acceptable.
MITM attacks are quite commonplace inside of the network boundary.
Allowing an attacker to expand a minor client compromise into root
access because you can't be arsed to run an openssl command a few
times is unacceptable.

Given the last year's vulnerabilities in OpenSSL you should already
have regenerated all your keymat, expired all your certs, and
generated new ones (hopefully ones that meet modern standards.)

I'll repeat:  if the connection is worth encrypting *at all* it is
worth encrypting right.

Mark


More information about the grlug mailing list