[WEB SECURITY] Turning off SSL after a hack?

[Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>]

After reading RSnake's recent blog post, SSL Can Hurt Security [1],  
an article [2] appeared on CNN where some of the subject matter  
crossed paths. The US State Department suffered a "large scale  
computer break-in". Here's the interesting bits come in:

"After the State Department break-ins, many employees were instructed  
to change their passwords. The department also temporarily disabled a  
technology known as secure sockets layer, used to transmit encrypted  
information over the Internet.

Hackers can exploit weaknesses in this technology to break into  
computers, and they can use the same technology to transmit stolen  
information covertly off a victim's network."

I have a hard time swallowing that SSL was actually turned off. More  
likely the author didn't get the facts straight. But who knows,  
stranger things have happened.


[1] SSL Can Hurt Security
http://ha.ckers.org/blog/20060711/ssl-can-hurt-security/

[2] Hackers target State Dept. computers
http://www.cnn.com/2006/US/07/11/state.hackers.ap/index.html



Regards,

Jeremiah Grossman
Founder and CTO
WhiteHat Security, Inc.
www.whitehatsec.com



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]