Cyber Security
Encryption headaches By Joseph Wentzel
30 | Australian Security Magazine
E
arly Last week I was reminded of the headaches that can be encountered with encryption. A site we are dependent on has installed a revoked certificate and our policy has no wiggle room on whether we can still connect. People who are supposed to know better have a certificate that has expired, so instead of going out and getting a new one, they find they have an old one laying around (the fact it was revoked and already expired not withstanding) and go ahead and install it as a cost savings measure. After I get done shaking my head in disbelief and wondering who could have thought such an act was actually a good idea, I begin to wonder about our users. Our poor personnel that have to connect to the site to manage specific items are now barred from doing so, by best practice. They don’t understand this. All they see is that we no longer allow them to do their job. A quick explanation that it is on the provider’s site does little to help. They still want me to supply a solution. An email conversation between myself, our staff and the provider lead to three possible solutions: 1) Install a new certificate – the ideal solution. 2) Reinstall the expired, but not revoked certificate as we can work with it – a poor solution. 3) Remove SSL/TLS from the equation – another poor solution. Not much in the way of solutions and with poor staff that don’t really understand. These are not technically illiterate people. They understand the reasons for security. They just
aren’t in our field and don’t understand the specifics. If reasonable people that enjoy the benefits of IT every day and manage devices through the use of technology have problems with this, then what about the average consumer? It wasn’t that long ago, I remember the banking industry being responsible and warning people to only use their sites and online shopping sites that were secure. They went into enough detail that people should expect to see a lock or key and that the URL (or is it URI now) would have HTTPS instead of HTTP. What a pleasant change and a remarkable show of helping people to remain financially secure. After several months of these ads and seeing positive action from the user community, I was ready to publicly thank the banking industry for the service. However, this was short lived. Not long after the ads ended, several banks decided to improve their web performance and insert secure i-Frames into standard HTTP pages. Yes, the data would be secure, but the average user had no way of knowing this. In effect, an epic fail for the industry’s education of the public. It isn’t just horrendous practices as above, but also how often we deprecate services and our widespread reaction to those deprecations, that confuses users. There was a time when WEP was considered the way to go. Keep us as safe wireless as we are when wired (are we ever really safe when wired?) Users accepted this security measure. It was easier than MAC filtering and so much better. Everything was copacetic in the world.