the same old lesson from vuln disclosures

Another lesson from the MD5 / SSL CA hack: We’re now stronger for the issue being exposed.

Someone could have exploited this weakness already, or someone could have exposed it in a year of five from now. But because this has been exposed to the public, we’re now collectively stronger and more informed for it.

This is an agnostic approach where I don’t have to say we should be throwing exploits out full disclosure-style without giving anyone a chance to fix or mitigate the issue. But rather, simply exposing the issue to the public with enough detail to be actionable is what I want. If that involves partial disclosure or even full disclosure with POCs, I’m fine with that.

Would I sing the same tune if the researchers had released their rogue CA? Yes, although it might be tainted with a, “That’s pretty short-sighted of you to do that.” But being able to react to what is disclosed is part of the lifestyle, even if we don’t agree with the actions. (Gosh, if only attackers would disclose to us their tools first before they go on the offensive! That would be the professional thing to do, right?)