| Keith via plug on 11 Aug 2020 12:49:38 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] news |
On 8/11/20 2:50 PM, Rich Freeman via plug wrote:
On Tue, Aug 11, 2020 at 2:40 PM Charlie Li via plug <plug@lists.phillylinux.org> wrote:Rich Freeman via plug wrote:On Tue, Aug 11, 2020 at 12:34 PM brent timothy saner via plug wrote:But yeah, he explained much more eloquently the point I'm trying to make. It's important to balance risk factor into the equation, and he explains why it's important here.It is also almost completely irrelevant in practice.It is absolutely completely relevant in practice....nation-states and other actors...Ok, yes, if you live in China and the government blocks SSL, then obviously you can't use SSL. I'm talking about everybody on this list who lives in the USA, where nobody blocks SSL.
Accept that if technology isn't limited to the imaginary lines of physical borders (I'll explain why I word it that way in a second).
If China was really just about China, there was no reason to have freaked out about Zoom be hosted there or to be more current, we wouldn't have freak out about Tik-Tok.
In practice most people ignore security or do the easy things because human like things easy...
...so do bad actors...If all you have to do is click a box , then are you really secure? I'm posing that as a thought experiment not as a statement of me saying the thingy is or is not secure.
I would suggest that the whole concept of phishing works because general technology social engineering has most of society thinking that if something easy for the human is it "good" and if something is "hard" it is bad. I don't agree with that.
To go back to my previous point, its is neither one or the other but individual has to really think about what the real risk is. The problem is most people do not.
SSL is not as secure if someone has the keys to the kingdom. The Internet isn't really subject to physical borders unless something enforces it. Just like your home is not your home under you enforce it (doors, locks). The specifics of what you do is based on some sort risk assessment. Technology tends to complicate security as much as it might help. Clicking that SSL button then immediately thinking you are "secure" without considering the risks, no matter how small, I do not think is good. That becomes a reason for bad actors to look at that technology pipeline to see how to exploit it.
I'm sure seems like a number of us are making a big deal about this but I know for me, the concern is the lack of critical and comprehensive thought when it come to security. Its a complex topic that I do not think can be simplified as much as is done.Look, if you want you can come up with a bazillion edge cases where it doesn't make sense to use SSL, that altogether account for 0.1% of the traffic most of us deal with. If you want I can join in. It doesn't change my point. My point is a general one, and I think it is generally true. Obviously if you're in one of those weird situations where SSL doesn't make sense, then don't use it. That doesn't mean that it isn't the best default. If you're debugging some application and want to disable SSL in development to check the traffic going over the network, then do it. You don't need my permission... :)
-- ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Keith C. Perry, MS E.E. Managing Member, DAO Technologies LLC (O) +1.215.525.4165 x2033 (M) +1.215.432.5167 www.daotechnologies.com ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug