[GRLUG] FF 33 & SSL

Michael Mol mikemol at gmail.com
Wed Nov 5 15:36:16 EST 2014


On Wed, Nov 5, 2014 at 2:54 PM, Mark Farver <mfarver at mindbent.org> wrote:
> On Wed, Nov 5, 2014 at 1:54 PM, Michael Mol <mikemol at gmail.com> wrote:
>> And regarding negligence....LVL's servers in question sound like
>> they're intranet, not public-facing. If the strength of those certs is
>> an issue (meaning he faces MITM on the way there), then he's got a
>> MITM attacker on his internal network, which is a much bigger issue on
>> its own than a weak cert on an intranet server.
>
> No, if you use TLS with weak certs that is worse than using no TLS at
> all.  You are giving your customers and yourself a false sense of
> security.  Not following industry standard security practices can be
> regarded as negligence.  Especially since the weakness of <1024bit
> certs has been well known for close to a decade.

I agree with you 100% -- IF these servers are customer-facing. Based
on my impressions in this thread, they only face *him*, and are likely
not accessible outside his intranet. If that weren't the case, his
switching to a different browser wouldn't even *begin* to be an
acceptable solution, even from his perspective.

-- 
:wq


More information about the grlug mailing list