Sunday, April 22, 2012

Testing Times Ahead For Online Security?

A little while back a group of Germans known as "The Hackers Choice" released a piece of software that "specifically targets deficiencies within SSL". In light of the many groups currently who assume to be our cyber-saviours, I'm a little skeptical. Whilst I fully agree with the principal that on the whole we should be able to rely on any given security standard to keep our most prized data safe, recent events have shown anything other but this (SSL Cracked).  I really don't think they're going to reach the masses. I mean, how many people actually know what SSL stands for anyway? As long as it doesn't hamper their online shopping, facebook/twitter oriented existence they just don't care.

As with plenty of other technologies that have gone by the wayside, at their peak they were the best thing since sliced bread; vhs, walkmans, CRTs... you get my drift.
Is it perhaps time we added some of our dated encryption methods to that pile of bygones too?

You only have to look at the history of various encryption algorithms, developed as far back as the late 80's or early 90's (RC4, AES). Half of us don't own cars that old (well, I may be an exception to that one!) so why are we trusting clearly out-dated encryption standards? Perhaps Convergence is the new generation of security we really need. 

I realise that not just anyone can open up their system and set about wiring half of the UK's GDP to their offshore account in under thirty minutes. However, the fact that weaknesses (many) have been highlighted is enough for me to question the viability of things like online banking, do I really need it? The answer to that is no, I don't need it, but I want it all the same it's a convenience. That's what everything is built upon, convenience. With a little security thrown in for good measure. Well maybe I want a lot of security, after all I'm using your website to buy goods with my credit card, I'd like to be able to rely on you when you say it's secure.....

Firefox12 - Enough Versions Already, but This One I Like...

I notice firefox 12 is on the horizon. I'm sure I am not the only one to be irritated by the version numbering game. As Smoothwall's Web Filtering Product Manager, keeping up with which versions of popular browers we need to support is like shooting moving targets with a fairground rifle whilst wearing comedy nose glasses.

Version 12 though has a special place for me, as it's going to save me a job - updating my parents' web browser! Being a fairly security minded type chap, I have had them using Firefox - yeah, I know, there's not a lot of difference between the major browsers any more, but when I set their first PC up, it was night and day. I also never gave them admin rights - there's just no need. Or there shouldn't be. The one thing that's been missing all these years though is background updates. Finally, 12 has Silent Service Update - so they'll be able to have the latest version, and I won't have to scoot round the house with my admin creds when I pop in for Sunday lunch!

Great start by Mozilla - and good to see they're going to offer SSU to other software vendors, I always thought it was a shame other products couldn't use Windows Update. I instinctively uninstall Adobe's bloated PDF reader in favour of Sumatra (which is still an Admin-only update, but a lot less prone to attack), but my arch enemy lives on - Java. Next time I am in Wakefield, I'll be working out whether my folks really need a JVM.

PS. Yes, I know Chrome does this already, but I wasn't up for the support overhead of a new browser!