[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Security today

To: Mike <mike-list@xxxxxxxxx>, "tls@xxxxxxxx" <tls@xxxxxxxx>
Subject: Re: [TLS] Security today
From: Michael Howard <Michael.Howard@xxxxxxxxxxxxx>
Date: Thu, 27 Mar 2008 20:31:14 -0700
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <47EC57A2.4030109@xxxxxxxxx>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <47EC2A75.2050303@xxxxxxxxx> <0685A6ED2CB5D245B49DD0B07C3636CC2A8D543BC7@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <47EC57A2.4030109@xxxxxxxxx>
Sender: tls-bounces@xxxxxxxx
Thread-index: AciQe5DhK9m9Jt8FT++9FXeed/DpuQACGWRg
Thread-topic: [TLS] Security today

Fwiw, at Microsoft we mandate the use of "strong crypto" and that includes ciphersuites and bit lengths. In the case of RSA, 2048 minimum, and the only time 1024 is allowed is for backward compat, and that has to be signed off by the crypto board (Ferguson, LaMacchia, Benoloh et al)

Cheers, Michael
Writing Secure Code for Windows Vista: http://www.microsoft.com/MSPress/books/10723.aspx
SDL Book: http://www.microsoft.com/MSPress/books/8753.asp
Blog: http://blogs.msdn.com/michael_howard/

-----Original Message-----
From: tls-bounces@xxxxxxxx [mailto:tls-bounces@xxxxxxxx] On Behalf Of Mike
Sent: Thursday, March 27, 2008 9:28 PM
To: tls@xxxxxxxx
Subject: Re: [TLS] Security today

Michael Howard wrote:
> I think there is a deeper issue than this - people email
> sensitive data all the time with no encryption...

Yes, email security is problematic, but users have to do
a lot of manual configuration even to get set up for it.
And then, they need to convince their correspondents to
set up their system too.

With HTTPS, the infrastructure is already there, and it's
being used.  The problem is with server configuration:
key size, cipher suite selection.  If servers were simply
better configured, security would automatically improve.
Users wouldn't have to do anything differently; those
who we rely on for security are failing us!

Mike

P.S. and there's nothing you or I can do about it as a
user -- we can't influence the key sizes or cipher suites
offered by a server -- it's either take it or leave it.
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Security today
  - From: Benjamin Black

References:
- [TLS] Security today
  - From: Mike
- Re: [TLS] Security today
  - From: Michael Howard
- Re: [TLS] Security today
  - From: Mike

Prev by Date: Re: [TLS] Security today
Next by Date: David Yurman Watches
Previous by thread: Re: [TLS] Security today
Next by thread: Re: [TLS] Security today
Index(es):
- Date
- Thread