[47067] in North American Network Operators' Group
Re: Cisco blunders with insecure web page
daemon@ATHENA.MIT.EDU (Chris Adams)
Thu Apr 25 06:26:03 2002
Date: Thu, 25 Apr 2002 05:23:19 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@trapdoor.merit.edu
Message-ID: <20020425052319.B9090@hiwaay.net>
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>,
nanog@trapdoor.merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.1.0.14.2.20020425050501.00ab7070@mail.macronet.net>; from blitz@macronet.net on Thu, Apr 25, 2002 at 05:05:48AM -0400
Errors-To: owner-nanog-outgoing@merit.edu
Once upon a time, blitz <blitz@macronet.net> said:
> >But applicants registering for the programme online discovered their
> >banking and company details were going onto an open web page. When one
> >irate silicon.com reader called the Cisco helpdesk, he was informed
> >that the company was aware of the problem because several other users
> >had complained.
<snip>
> >In a statement, Cisco said it had pulled the registration URL for 48
> >hours to install SSL (secure sockets layer) - a common way of securing
> >web pages.
SSL does not secure web pages. It secures web _traffic_. If you don't
protect a web page by required a password (either via HTTP
authentication or a CGI based scheme), SSL won't help protect the data
stored on the web server one bit.
Okay, SSL _can_ be used to secure web pages with client certs, but that
is not as common in the "real world" as different forms of password
based authentication.
Or is the article an over-simplification of the issue?
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
