Tuesday, December 30, 2008

Verisign: Hardly (or, do we have a new disclosure model here?)

Now I only caught that last 5-10 minutes of the Q&A from the big talk this morning and what I heard (especially about the differences among browser implementations) was pretty interesting. Wish I would have heard the whole thing.

The whining form vendors (or so it is said in the blogs) about "wish they had been told earlier" has been amusing. Waaah.

And I like this new disclosure model (which turns the existing model upside down, vendors have to sign NDAs instead of the the researchers, brilliant!) end the fact that there is a real exploitation (however limited) prior to a fix which brings the end-user community into the disclosure dance.

However, I can't help but think this was sort of a letdown (and I don't think it is just because crypto puts me to sleep) and I liked this summary from This morning's MD5 attack - resolved

Q: Is Internet security broken?
A: Hardly. The presenters of this morning's paper stressed that it took them a long time and a great deal of computational power to succeed in their collision attack. VeriSign has already eliminated the attack as a possibility.

It bothered me that this was positioned as "critical internet infrastructure" attack/vulnerability/compromise to me which pretty much means routing or nameservice or some other collosal failure in the transport layer or below. Which this was not. Web security completely broken I could buy but Internet security, let alone Critical Internet Infrastructure security.

Hardly is a pretty good summary.

No comments: