Quote:
Originally Posted by Easyeddie
So to put it another way
OpenSSL: false sense of security
No SSL: no security at all...
so if you're worried about whether ECCIE was affected...... well, that's the last thing to worry about...
|
I wouldn't say that. "SSL" does not mean "security", nor does "no SSL" mean "no security". Keep in mind, what SSL does is that it stops (or at least makes it impractical to accomplish) information you send to/from a server from being observed or otherwise messed with by a third-party. (It does some other things too, but there's no need to get into that level of detail here.) Without SSL, the information you send and receive could be observed or changed while it's being sent across the network. However, to be able to do that, the bad guy needs to be in a "privileged position" on the network. The next-door neighbor who's snooping the packets on your wireless network and has somehow cracked your encryption key (you're still using WEP? Really?
). The guy at the table next to you who's snooping the packets on the wireless network while you're surfing the Internet on your laptop at your local coffee shop (where the wireless network probably uses no encryption at all). The technicians at your ISP - or, in fact, at any other network service provider that the data has to pass through to get where it's going. Your employer, if you're surfing the Internet via your employer's network. The FBI, if they've got a CALEA-authorized tap to monitor your network activity at your ISP (or at the server's ISP). The NSA, since they monitor everything, everywhere.... The point is, someone's got to somehow got to get a foothold in the actual network infrastructure in order to steal your information.
By contrast, while the Heartbleed vulnerability does not allow an attacker to modify your network traffic, it has the potential to expose your information to ... anyone, anywhere... The best explanation I've seen so far about how the vulnerability works is:
http://xkcd.com/1354
In terms of how bad this vulnerability is, I've heard one information security researcher describe it as, "On a scale of 1 to 10, this is an 11."
While it would be ideal if ECCIE would use SSL, I can imagine some reasons why it might be difficult to implement (such as, having to provide positive ID and such to an SSL certificate authority...), and I'm sufficiently comfortable with the fact that they don't (though if ECCIE eventually did offer access to the site via https:, using a self-signed certificate or something, I'd certainly use it just to get the data encrypted in transit). If it is a concern to you, you can take some steps to significantly mitigate it. Use a different password on ECCIE than you use for anything else, and change it regularly. Don't browse ECCIE from public networks (like the local library, the nearby coffee shop with free WiFi, etc.), or from work. Make sure your home WiFi network uses strong encryption (WPA/WPA2). Some simple, common sense precautions should eliminate most of your concerns.