Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Internet Architecture Board Calls For Net Encryption By Default
Threaded  |  Newest First  |  Oldest First
macker490
macker490,
 User Rank: Ninja
11/20/2014 | 8:14:47 AM
x.509 Galore
Once just about everyone has an x.509 certificate ( we are close now ) -- just about everything you look at will appear to be valid.

this is a problem on the net NOW as people really don't know, from day to day what a site is suppose to look like -- nor x.509 identifications.

until people take up the practice of validatating and signing x.509 certificates the problem will remain: we don't know who to trust.

the deluge of x.509 certificates that your browser dumps on you should all be flagged MARGINAL TRUST

to get Full Trust you need to check the fingerprint on the certificate with a reliable source and then sign the certificate using your copy of PGP/Desktop or GnuPG

reliable source: I recommend your local Credit Union.   A co-operative would need to be set up.
Dr.T
Dr.T,
 User Rank: Ninja
11/20/2014 | 10:28:21 AM
Re: x.509 Galore
Public-private pair is the way to go. You have to have something you do not share with anyone but yourself. If more than two people know it, does not matter how many certificate we have.
RyanSepe
RyanSepe,
 User Rank: Ninja
11/20/2014 | 8:54:49 AM
Encryption: A benefit as well as detriment
Thats terrifying that the increase of encryption throughout the stack will cause a growing blindspot within organizations. Are the pervasive scans currently being leveraged through IDS/IPS and MSSP's not able to break through the encryption to depict events efficiently today? Or is the obfuscation referenced here due to strictly human correlated data audits?
Dr.T
Dr.T,
 User Rank: Ninja
11/20/2014 | 10:29:38 AM
Re: Encryption: A benefit as well as detriment
Encryption can be fast enough and minimal impact on the network and systems, the main problem is the visibility. 
RyanSepe
RyanSepe,
 User Rank: Ninja
11/20/2014 | 10:35:10 AM
Re: Encryption: A benefit as well as detriment
Agreed. Maybe I should have phrased "as well as a detriment" in a hesitant questionesque manner. But visiblity may be difficult because encryption methodologies seek specifically to limit the scope of unathorized visibility. As posed before, would the pervasive detection tools now be able to see through the encryption? Because as stated in the article if they cant, changes/modifications can be made without knowledge of the enterprise security initiative.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/21/2014 | 8:11:34 AM
No win situationtre
This does seem like a damned if you do and damned if you don't situation. But given the trends outlined in the article, to do nothing seems to be the worst-case scenario..
GonzSTL
GonzSTL,
 User Rank: Ninja
11/21/2014 | 2:35:24 PM
Re: Encryption: A benefit as well as detriment
Nothing is scarier than knowing that you do not know what data is flowing through your network. Implementation of this within an internal private network should only come after security related products have been developed that take this into account. This would probably also mean that existing products will be forklifted to make room for the new ones - a very expensive undertaking.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/24/2014 | 10:32:46 AM
Re: Encryption: A benefit as well as detriment
This does seem like a radical change that will pose some serious implementation  issues for many security teams. But the Gartner prediction -- if true -- that, by 2017, more than half of all cyberattacks will use some form of encryption to sneak malicious traffic by security systems -- is pretty scary.
Dr.T
Dr.T,
 User Rank: Ninja
11/20/2014 | 10:25:40 AM
Encryption is our friend, not so fast
I would love to see encryption across the board in and out of the networks. There is one single problem: visibility. You know you encrypted everything and you do not know what is flowing in your network that would not mean you are secure. The tools that are required to monitor the network should also be encryption-aware for this to succeed.
Kelly Jackson Higgins
Kelly Jackson Higgins,
 User Rank: Strategist
11/21/2014 | 2:06:52 PM
Re: Encryption is our friend, not so fast
Yes, @DrT. That's what this story talks about as the tradeoff. 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file