When TLS Reads: Totally Lost Security. SHA zam!
2-Hour Live Event: Tuesday, November 15, 2016
Start Time: 9:00 a.m. US-Pacific/ 12:00 p.m. US-Eastern/ 5:00 p.m. London
Click here to register.
Why isn't patching and updating successful in making us safe, even from known vulnerabilities in products for which fixes are available?
We've seen Java vulnerabilities fixed and available on our smart phones, only to be told that our organization cannot support the fix without breaking a critical tool we depend on. We know that improved versions of SSL and TLS were available for many years before they become widely adopted by browser developers and web site administrators. Rather than risk disrupting millions of users, fears of backward compatibility issues drive them to continue to offer vulnerable versions of these protocols and to ignore the dangers of relying on encryption and hash algorithms with known flaws.
A recent survey indicates that nearly 98% of websites supporting SSL were still using phishing friendly, weak X.509 digital certificates based on SHA-1. So, how does this bode for the Internet of Things? Will we see millions and millions of more vulnerable devices surround us that cannot be easily patched and managed securely?