One Article Review
| Source |  UncommonSenseSecurity |
|---|---|
| Identifiant | 360975 |
| Date de publication | 2017-03-24 13:21:06 (vue: 2017-03-24 13:21:06) |
| Titre | I thought everyone knew this by now |
| Texte | But apparently not. I just saw some “Security Awareness Training†that gave the bad old advice of “look for the padlock†in your web browser. Here's my answer to that:  In a world where most of us face a constant threat from phishing we need to better educate folks, and we need to make it easier to be secure. And since the latter isn't that easy, we need to teach better. Also, “don't click stuff†really defeats the point of the web, so while I understand the sentiment, it is not practical advice. The padlock can mean a variety of things, but what it really signifies is that your web traffic is encrypted. It does not mean that all of the traffic on the page is encrypted, or that it is encrypted well. It also doesn't assure you that the traffic isn't being decrypted, inspected, and re-encrypted. Or maybe it isn't encrypted at all and someone just used a padlock as a favicon on the website (this varies somewhat by web browser). The padlock doesn't prove the identity of the site owner unless it is an EV(extended validation) certificate, and even then the validation is imperfect. When we just say “look for the padlock†we are giving people bad information and a false sense of security. It makes us less secure, so we need to kill this message. Even though it isn't entirely true if we are going to oversimplify this I think we're better off telling folks that the padlock doesn't mean a damn thing anymore, if it ever did. While we're on the subject of browsers, you know the average computer user is just trying to do something, so the warnings they see are mentally translated to “just keep clicking until we let you go where you wantâ€. I did find a few things which made me think of typical browser warnings:  This means it's OK to trespass up to this point, but no further? Is that like this website is unsafe? No, because if you look around this sign you can see the end of the pier is missing, if you click past the browser warning you will not fall into the ocean. And this, you know what it means, but what does it say?  That's right, it says don't P on the grass. Just because you know what something means does not mean you can assume others do, we need to do a better job of explaining things. Reminding folks of the invention of indoor plumbing when what you want is to keep cars off the grass, sounds like a browser warning to me. |
| Envoyé | Oui |
| Condensat | advice all also answer anymore apparently are around assume assure average awareness bad because being better browser browsers but can cars certificate click clicking computer constant damn decrypted defeats did does doesn don easier easy educate encrypted end entirely even ever everyone explaining extended face fall false favicon find folks from further gave giving going grass here identity imperfect indoor information inspected invention isn jack job just keep kill knew know latter less let like look made make makes maybe mean means mentally message missing most need not now ocean off old others oversimplify owner padlock padlock†page past people phishing pier plumbing point practical prove really reminding right saw say says secure security see sense sentiment sign signifies since site some someone something somewhat sounds stuff†subject teach telling that that: then thing things think though thought threat traffic training†translated trespass true trying typical understand unless unsafe until used user validation varies variety want want†warning warnings warnings: web website well what when where which will world your “don “just “look “security |
| Tags | |
| Stories | APT 32 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.