JBlog首頁 JCase外包銀行 會員專區 會員登入

     首頁 > 文字走廊 > 卓長熹 > 文章集 > SSL

卓長熹的文章集
2008年10月06日
SSL
文章分類:英文翻譯
人氣:
882

 
本文出刊於《資安人雜誌》2008年7月號
譯者筆名/左恩燦 (本名/卓長熹)
英翻中:每段譯文跟在原文下面。

SSL救不了你拙劣的應用程式
加密,無法修補不安全軟體所產生的漏洞。

文/DAVID MORTMAN 譯/左恩燦



As a group, we securitySecurity practitioners love SSL, and with good reason. It is very well designed with support for multiple encryption protocols, and can easily beis easily reconfigured in case any one of them should get cracked or outdated via some other method. It is an incredibly useful tool, protecting transactions as they cross otherwise insecure channels such as the Internet. It's It’s also great for certificate- based bi-lateral authentication, provided of course you actually have the cash and personnel resources to in both cash and people personnel to actually maintain it.

安全從業人員熱愛SSL(網路資料安全傳輸協定,Secure Sockets Layer),而且都有充分的理由:它不但設計良好,提供支援各種加密協議,而且很容易重新組態,假如萬一遭到任何破解或是過期的話。難以置信,它是一個那麼有用的工具,當他們透過其它不安全管道時(例如網路),卻可以保護交易安全。它對支援憑證的雙向認證,也是助益非常大,當然,假如你真的有錢可以負擔的話。

If anything, SSLit is too well implemented, so people end up thinking thatand people think it covers all their needs, like a giant security blanket. They forget that
The problem is that people forget that there is much more to security then than just using SSL.

無可否認地,SSL不同的地方在於它的佈署令人很滿意,而且人們認為它可以滿足他們所有的需求,好像一張超大的安全毯,讓每個抓著它的人就充滿了安全感。他們忘記,除了利用SSL之外,安全要做的事還有很多。
While regulations such as PCI and various state breach notification laws are now mandating that data at rest be also encrypted, which is a step in the right direction, we need to remember that encryption is far from the be all and end all of securityven if we assume that both the algorithms and implementations are perfect, databases need to be unencrypted when they are actually being used, which limits  efficacy
Gene Spafford famously once said, “Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." .” And hHe’'s still right today.

Gene Spafford曾說過一句很棒的話:「在網路上利用加密,就好像派一部裝甲車,從一個居住在紙箱裡的人,將他的信用卡資料傳輸到生活在公園長椅上的某人」。現在聽起來他仍是對的。

Although operating systems are more secure than they were 10 years ago, and we are much better at patching them, that too isn’'t sufficient. Dan Geer recently released an extensive paper on trends in the information security industry. Using data from the National Vulnerability Database, he quantitatively showed what we already had intuited: that miscreantsattackers have moved to targeting applications with great success, exploiting h cross-site scripting and SQL injection vulnerabilities by the boatload.

雖然比起10年前,操作系統已經安全很多,我們也更善於修補這些系統,但是這樣還是不夠。最近,Dan Geer在資訊安全產業,發表了一個大規模的趨勢報告。資料是採自美國國家弱點資料庫(National Vulnerability Database),他大量地指出一些事實,而那些事其實是我們原本憑直覺就能預料到的:像是,攻擊者已經成功地將目標轉移至應用程式,利用簡單的工具就能進行XSS攻擊(跨網站指令碼,cross-site scripting)與SQL injection(資料庫隱碼攻擊)等。

Despite what we know and what industry leaders like Microsoft and Oracle have done to make their products more secure, the software industry as a whole just doesn’'t seem to get it. While sSome Wweb- based applications vendors havedisplay badges from services like Hacker Safe, thatwhich actually test for vulnerabilities,s. Sadly,  these sites are few and far between.

儘管我們知道這些事,而像是Microsoft和Oracle領導廠商,也對他們的產品作了安全上的改善,然而,軟體業者似乎就是不得要領。雖然有些網頁應用程式,顯示出它們通過Hacker Safe的資安認證標章,表示通過弱點探測,但是這些網站的數量卻是少之又少。

JustI But if you look at the average Web-based application, . If you’ are lucky, there is probably might beif there’s a reference in the vendor’sir privacy policy about use of SSL or a cute badge saying advertising which its SSL vendor. they used. Meanwhile, SSL has gotten so cheap to implement that even sites that don't talk about it generally use it, which means all this tells us is that they have a marketing person who is savvy enough to know that talking about SSL is expected behavior. While it is gratifying to know, that the risk of someone sniffing my credit card number off the Iinternet is effectively zero when using a particular Wweb site, this unfortunately doesn’'t tell meus a single useful thing about the security of the application, itself and odds are,, the security is probably  they used or a label from a service like Hacker Safe.
poor.

假如你去看網頁應用程式的平均值,供應商的隱私政策有提及使用SSL的,或者有一個小巧的標章宣傳著它的SSL廠商,那麼你是很幸運的。當你正在使用一個特定網站,而且知道某人正徒勞無功地探查你的信用卡號碼,那是很令人開心的。但不幸地,有關應用程式的安全訊息,這裡連一個也沒有,別處亦然;足見安全是相當匱乏的。

This is why ISVs need to start implementing security into their software development life cycles and be more transparent as to what they are doing to keep our data safe. This is only going to happen if we as security practitioners and as customers press vendors to start producing more secure software. Though And if the past is any indicator, acting as customers will be far more effective. We as pPractitioners can have a deep impact, especially from the angle of driving down support costs, but what really gets the attention of marketing and sales departments isare customers demanding features.

這就是為什麼獨立軟體供應商,必須把安全佈署到他們的軟體發展生命週期中,並且將他們保管資料安全的作法更透明化,好讓使用者清楚易懂。假如身為安全從業人員,也是客戶的我們,開始對供應商施加壓力,促使他們開始生產更安全的軟體,將會得到最好的結果。如果拿過去的經驗來看,從客戶的角度去鞭策,作用將大大改善。從業人員可以發揮很大的影響力,尤其是從購買費用大幅減少的角度切入,但是真正會引起市場和銷售部門關注的,還是得從「客戶要求」的角度著眼。

Years ago, someone asked Mark Graff, author of Secure Coding, when  the company he worked for would stop making “"such crappy software." .” He answered, “"When you stop buying it." .” It was irate customers that who pushed Microsoft into starting its secure computingTrustworthy Computing initiatives, and it is irate customers that who will push Web application vendors to start taking security seriously. It is up to us to teach those customers not only what they are missing so they know what to ask for, but also that looking for the little lock icon is not enough to keepo their data secure.
[END MARK]

幾年前,有人問《Secure Coding》一書的作者Mark Graff,他任職的公司什麼時候才會停止製造「這麼爛的軟體」,他回答,「你不想再買的時候!」。過去,必須透過客戶來迫使Microsoft開始著手可信賴運算計畫(Trustworthy Computing initiatives),是很令人生氣的;將來,仍必須假客戶之手,來迫使網頁應用程式廠商,開始嚴肅地看待安全問題,同樣令人惱怒。一切取決於我們去教育那些客戶,不只要讓他們知道他們所喪失的有什麼、可以要求回來的又有什麼;還有那個小小的封鎖圖示,實在不足以維護他們的資料安全無虞。

David Mortman is CSO- in-residence at information security research and consulting firm So Echelon One. Send comments on this column to feedback@infosecuritymag.com.

David Mortm是諮詢安全研究暨顧問公司Echelon One的安全長。對此專欄有任何看法,請寄feedback@infosecuritymag.com。







 

作者檔案

個人  
會員名稱:

卓長熹

身份屬性:

兼職上班族

居住縣市:

南投縣

接案地區:

不拘

駐點服務:

JBlog人氣:

1029

  會員記錄

已接案數:

0

接案評比:

(尚無評鑑)

已發包數:

0

發案評比:

(尚無評鑑)

服務電話:(02)2100-2852 傳真:(02)2100-2685 客服信箱:service@jcase.com.tw 才庫人力資源顧問股份有限公司 版權所有,請勿任意轉載