JBlog首頁 JCase外包銀行 會員專區 會員登入

     首頁 > 文字走廊 > 卓長熹 > 文章集 > SSL


譯者筆名/左恩燦 (本名/卓長熹)



As a group, we securitySecurity practitioners love SSL, and with good reason. It is very well designed with support for multiple encryption protocols, and can easily beis easily reconfigured in case any one of them should get cracked or outdated via some other method. It is an incredibly useful tool, protecting transactions as they cross otherwise insecure channels such as the Internet. It's It’s also great for certificate- based bi-lateral authentication, provided of course you actually have the cash and personnel resources to in both cash and people personnel to actually maintain it.

安全從業人員熱愛SSL(網路資料安全傳輸協定,Secure Sockets Layer),而且都有充分的理由:它不但設計良好,提供支援各種加密協議,而且很容易重新組態,假如萬一遭到任何破解或是過期的話。難以置信,它是一個那麼有用的工具,當他們透過其它不安全管道時(例如網路),卻可以保護交易安全。它對支援憑證的雙向認證,也是助益非常大,當然,假如你真的有錢可以負擔的話。

If anything, SSLit is too well implemented, so people end up thinking thatand people think it covers all their needs, like a giant security blanket. They forget that
The problem is that people forget that there is much more to security then than just using SSL.

While regulations such as PCI and various state breach notification laws are now mandating that data at rest be also encrypted, which is a step in the right direction, we need to remember that encryption is far from the be all and end all of securityven if we assume that both the algorithms and implementations are perfect, databases need to be unencrypted when they are actually being used, which limits  efficacy
Gene Spafford famously once said, “Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." .” And hHe’'s still right today.

Gene Spafford曾說過一句很棒的話:「在網路上利用加密,就好像派一部裝甲車,從一個居住在紙箱裡的人,將他的信用卡資料傳輸到生活在公園長椅上的某人」。現在聽起來他仍是對的。

Although operating systems are more secure than they were 10 years ago, and we are much better at patching them, that too isn’'t sufficient. Dan Geer recently released an extensive paper on trends in the information security industry. Using data from the National Vulnerability Database, he quantitatively showed what we already had intuited: that miscreantsattackers have moved to targeting applications with great success, exploiting h cross-site scripting and SQL injection vulnerabilities by the boatload.

雖然比起10年前,操作系統已經安全很多,我們也更善於修補這些系統,但是這樣還是不夠。最近,Dan Geer在資訊安全產業,發表了一個大規模的趨勢報告。資料是採自美國國家弱點資料庫(National Vulnerability Database),他大量地指出一些事實,而那些事其實是我們原本憑直覺就能預料到的:像是,攻擊者已經成功地將目標轉移至應用程式,利用簡單的工具就能進行XSS攻擊(跨網站指令碼,cross-site scripting)與SQL injection(資料庫隱碼攻擊)等。

Despite what we know and what industry leaders like Microsoft and Oracle have done to make their products more secure, the software industry as a whole just doesn’'t seem to get it. While sSome Wweb- based applications vendors havedisplay badges from services like Hacker Safe, thatwhich actually test for vulnerabilities,s. Sadly,  these sites are few and far between.

儘管我們知道這些事,而像是Microsoft和Oracle領導廠商,也對他們的產品作了安全上的改善,然而,軟體業者似乎就是不得要領。雖然有些網頁應用程式,顯示出它們通過Hacker Safe的資安認證標章,表示通過弱點探測,但是這些網站的數量卻是少之又少。

JustI But if you look at the average Web-based application, . If you’ are lucky, there is probably might beif there’s a reference in the vendor’sir privacy policy about use of SSL or a cute badge saying advertising which its SSL vendor. they used. Meanwhile, SSL has gotten so cheap to implement that even sites that don't talk about it generally use it, which means all this tells us is that they have a marketing person who is savvy enough to know that talking about SSL is expected behavior. While it is gratifying to know, that the risk of someone sniffing my credit card number off the Iinternet is effectively zero when using a particular Wweb site, this unfortunately doesn’'t tell meus a single useful thing about the security of the application, itself and odds are,, the security is probably  they used or a label from a service like Hacker Safe.


This is why ISVs need to start implementing security into their software development life cycles and be more transparent as to what they are doing to keep our data safe. This is only going to happen if we as security practitioners and as customers press vendors to start producing more secure software. Though And if the past is any indicator, acting as customers will be far more effective. We as pPractitioners can have a deep impact, especially from the angle of driving down support costs, but what really gets the attention of marketing and sales departments isare customers demanding features.


Years ago, someone asked Mark Graff, author of Secure Coding, when  the company he worked for would stop making “"such crappy software." .” He answered, “"When you stop buying it." .” It was irate customers that who pushed Microsoft into starting its secure computingTrustworthy Computing initiatives, and it is irate customers that who will push Web application vendors to start taking security seriously. It is up to us to teach those customers not only what they are missing so they know what to ask for, but also that looking for the little lock icon is not enough to keepo their data secure.

幾年前,有人問《Secure Coding》一書的作者Mark Graff,他任職的公司什麼時候才會停止製造「這麼爛的軟體」,他回答,「你不想再買的時候!」。過去,必須透過客戶來迫使Microsoft開始著手可信賴運算計畫(Trustworthy Computing initiatives),是很令人生氣的;將來,仍必須假客戶之手,來迫使網頁應用程式廠商,開始嚴肅地看待安全問題,同樣令人惱怒。一切取決於我們去教育那些客戶,不只要讓他們知道他們所喪失的有什麼、可以要求回來的又有什麼;還有那個小小的封鎖圖示,實在不足以維護他們的資料安全無虞。

David Mortman is CSO- in-residence at information security research and consulting firm So Echelon One. Send comments on this column to feedback@infosecuritymag.com.

David Mortm是諮詢安全研究暨顧問公司Echelon One的安全長。對此專欄有任何看法,請寄feedback@infosecuritymag.com。























服務電話:(02)2100-2852 傳真:(02)2100-2685 客服信箱:service@jcase.com.tw 才庫人力資源顧問股份有限公司 版權所有,請勿任意轉載