[Cryptography] Government shutdown: TLS certificates not renewed, many websites are down
Ángel
angel at crypto.16bits.net
Mon Jan 14 20:30:52 EST 2019
On 2019-01-11 at 08:54 +0000, Peter Gutmann wrote:
> The sites are no less secure now than they
> were before the cert expired.
Who is looking at the SIEM? And reviewing the IDS alerts?
While you are completely right regarding the strength of the encryption
used, the expired certs are an indicator of the lack of maintenance of
these webs.
If a critical vulnerability was discovered tomorrow (eg. think on
another Struts vulnerability, or a fault on the web server itself),
would anyone update the systems on time?
These should all continue being more secure than the average website,
but they are expected to abide to an higher standard as well.
Thus, comparing to their earlier selves, I would consider these sites to
be indeed less secure than before the shutdown.
Nevertheless, for the general case, the concept of gracefully degrading
the UI indicators as the cert is more and more expired is an interesting
one.
PS: I wonder if any agency have a Dead sysadmin's switch that would
automatically shutdown the servers if no sysadmin is available for a
number of weeks.
More information about the cryptography
mailing list