* Posts by Gregory Webb

2 publicly visible posts • joined 1 Aug 2008

VeriSign remedies massive SSL blunder (kinda, sorta)

Gregory Webb

This is no remedy

If the method engineered by the researchers has already been discovered and used by hackers, than any organizations currently utilizing a certificate within their chain (be it the root, an intermediate, or a leaf), could potentially be the victim of a man-in-the-middle attack. Because we have no way of knowing whether or not this is the case, organizations should consider mitigating risk by replacing certificates using the MD5 hash function.

Given this condition, more needs to be done. http://tiny.cc/ns4b8

Gmail certificate expiry snafu follows security upgrade

Gregory Webb

business impact of expired certs

While I doubt anyone will loose faith in Google's ability to secure our data and/or gmail, expired certs and the ensuing security pop-up alerts do impact consumer behavior. Over time users become conditioned to the alerts and simply begin to ignore them. This is certainly not a security best practice, especially as phishing scams abound.

Check out some compelling survey results on this topic at: http://www.venafi.com/Collateral_Library/VenafiEncryptionStudy2007.pdf