|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Cisco blunders with insecure web page
Once upon a time, blitz <[email protected]> said: > >But applicants registering for the programme online discovered their > >banking and company details were going onto an open web page. When one > >irate silicon.com reader called the Cisco helpdesk, he was informed > >that the company was aware of the problem because several other users > >had complained. <snip> > >In a statement, Cisco said it had pulled the registration URL for 48 > >hours to install SSL (secure sockets layer) - a common way of securing > >web pages. SSL does not secure web pages. It secures web _traffic_. If you don't protect a web page by required a password (either via HTTP authentication or a CGI based scheme), SSL won't help protect the data stored on the web server one bit. Okay, SSL _can_ be used to secure web pages with client certs, but that is not as common in the "real world" as different forms of password based authentication. Or is the article an over-simplification of the issue? -- Chris Adams <[email protected]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
|