catalyzing vpn and ssl security

Posted on by michael

Somehow this site slipped through my RSS feeds net, but the Security Catalyst has had a few interesting updates in the past month.

First, David Stern talks about VPN not being a security device. I think this can be confusing because I think I was linked to this post via someone saying VPNs offer no security and citing David. VPNs do provide security by encrypting traffic over a public network. Although I do understand what David is trying to say. Typically, VPNs do not use more sophisticated authentication than other remote access methods, nor provide any further traffic protection beyond the VPN endpoint. If you let me VPN into your network, you’ll have to deal with the fact that I might make connection attempts to Gmail or spew out Slammer traffic. Point made, but I think his point can be far too easily mistaken. At least the post made me sit back with a screwy look on my face for a few minutes! I tend to be a natural skeptic.

Second, is a post about explaining SSL security. This made me giggle: get a group of nearby people together and go over the security that SSL provides. Now, yes, I can explain SSL accurately, but I gotta be honest, even at work about zero of those people are going to give a shit about the details, even if spoken in elementary terms. I’ve worked at web-tech companies where I filled requests from people (developers and managers) for SSL certs, who themselves couldn’t care less about the technical reasons. “The client requires SSL and Sysadmins get annoyed when we don’t put them on,” was the only real care; just a checkmark to filling the client’s needs. Again, though, I see the point: education. But I doubt many people truly care what SSL is and how it truly works.

Here is a case in point. Go to MySpace.com and log in with your username (come on, everyone has one). Notice there is no https/SSL transaction? Yup, that’s how much people truly care about SSL: MySpace.com’s popularity doesn’t seem so affected. (I discovered this one over a year ago at a wireless hotspot whose traffic I was snooping on…) Yes, perhaps it is not a banking site…