qualys ssl/tls best practices

Curious about SSL Best Practices? Qualys has a regularly-updated “SSL/TLS Deployment Best Practices” file with some good information. I like that the best practices include mention of practical concerns in additional to security ones. For instance, not to use private keys larger than 2048. I’ve forged forward on my own to use 4096 keys, and I can attest to significant performance issues due to it. Also, I’m glad for the very brief EV SSL mention; I’m not sold that it’s useful enough to talk about. I personally recommend not spending the money on them unless your customers are asking for a green browser address bar…

The only thing I wish this doc contained would be more insight into common secure and insecure cipher suites. Now, I know SSL tools will do this and many systems rename ciphersuites into weird names for no real reason, but it would be nice to just get a dumped list. For a doc that is useful to slam down on a CIO or developer or sysadmin desk, it would be welcome. Props, though, to suggesting SSL eval tools, which will help a sysadmin do the same thing, just with a little bit of sweat and time expense.

man accused of hacking despite not hacking anything

I feel dirty linking to Wired these days, especially since the article isn’t very informative beyond this blurb:

…Nosal never was accused of traditional hacking. Among other things, what the jury concluded was that he coaxed, sometimes through monetary payments, his former colleagues at Los Angeles-based executive search firm Korn/Ferry International to access the firm’s proprietary database and provide him with trade secrets to help him build a competing firm. Those associates cooperated with the government and were not charged.

…Say what?