Father of SSL Says Despite Attacks, the Security Linchpin Has Lots of Life Left
Network World (10/11/11) Tim Greene
Despite high-profile exploits, secure sockets layer/transport layer security (SSL/TLS), the protocol that safeguards e-commerce security, can remain viable through proper upgrades as it becomes necessary, says SSL co-creator Taher Elgamal in an interview. He says the problem is not rooted in SSL/TLS itself, but rather in the surrounding trust framework and the problems it causes when it comes time to patch the protocol to correct vulnerabilities. "If there is a way that we can separate who we trust from the vendor of the browsers, then that would be the best thing to do," Elgamal notes. "And the root of the trust should be the Internet with its built-in reputation ecosystem." Elgamal says that in such a scenario, if people were to notice that a specific certificate authority is issuing bad certificates, then the reputation would jettison it immediately with no need to issue patches. What is needed is the construction of an automatic update mechanism, and Elgamal believes the technology to facilitate self-updating exists. "I hope people look for these things because honestly, every protocol will have roles for self-updating things," he notes. "Nothing will remain secure forever."
Network World (10/11/11) Tim Greene
Despite high-profile exploits, secure sockets layer/transport layer security (SSL/TLS), the protocol that safeguards e-commerce security, can remain viable through proper upgrades as it becomes necessary, says SSL co-creator Taher Elgamal in an interview. He says the problem is not rooted in SSL/TLS itself, but rather in the surrounding trust framework and the problems it causes when it comes time to patch the protocol to correct vulnerabilities. "If there is a way that we can separate who we trust from the vendor of the browsers, then that would be the best thing to do," Elgamal notes. "And the root of the trust should be the Internet with its built-in reputation ecosystem." Elgamal says that in such a scenario, if people were to notice that a specific certificate authority is issuing bad certificates, then the reputation would jettison it immediately with no need to issue patches. What is needed is the construction of an automatic update mechanism, and Elgamal believes the technology to facilitate self-updating exists. "I hope people look for these things because honestly, every protocol will have roles for self-updating things," he notes. "Nothing will remain secure forever."
No comments:
Post a Comment