[GRLUG] FF 33 & SSL
Michael Mol
mikemol at gmail.com
Wed Nov 5 15:36:16 EST 2014
On Wed, Nov 5, 2014 at 2:54 PM, Mark Farver <mfarver at mindbent.org> wrote:
> On Wed, Nov 5, 2014 at 1:54 PM, Michael Mol <mikemol at gmail.com> wrote:
>> And regarding negligence....LVL's servers in question sound like
>> they're intranet, not public-facing. If the strength of those certs is
>> an issue (meaning he faces MITM on the way there), then he's got a
>> MITM attacker on his internal network, which is a much bigger issue on
>> its own than a weak cert on an intranet server.
>
> No, if you use TLS with weak certs that is worse than using no TLS at
> all. You are giving your customers and yourself a false sense of
> security. Not following industry standard security practices can be
> regarded as negligence. Especially since the weakness of <1024bit
> certs has been well known for close to a decade.
I agree with you 100% -- IF these servers are customer-facing. Based
on my impressions in this thread, they only face *him*, and are likely
not accessible outside his intranet. If that weren't the case, his
switching to a different browser wouldn't even *begin* to be an
acceptable solution, even from his perspective.
--
:wq
More information about the grlug
mailing list