[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Network security manager
From: |
Lars Magne Ingebrigtsen |
Subject: |
Re: Network security manager |
Date: |
Tue, 18 Nov 2014 18:36:25 +0100 |
User-agent: |
Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.51 (gnu/linux) |
Ted Zlatanov <address@hidden> writes:
> LMI> GPG isn't feasible because nobody wants to type passwords.
>
> Whuhh?
Yeah?
> Yes, it's a bother. We're talking about potentially dozens or hundreds
> of exceptions in a large enterprise. But let's assume the `a' key is
> large and easy to hit.
>
> Scenario 1: you allow a compromised server accidentally. You now can't
> review the exception list to remove that compromise.
>
> Scenario 2: someone allows a compromised server on purpose in a few
> seconds. You have no idea it happened.
>
> I'm sure there are other scenarios, but please don't make this a
> write-only data store.
Well, we could have a setting that says that the NSM should re-query
security exceptions...
On the other hand, we could store the server names in plain text when we
store security exceptions to make reviews easier. That is, keep the
hash-only thing for STARTTLS man-in-the-middle tracking and the like,
but if the user registers an exception, then we'd stash the server name
in there, too.
This would avoid leaving a complete list of STARTTLS servers in that
file, but still allow easy removal of specific exceptions.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
- Re: Network security manager, (continued)
- Re: Network security manager, Eli Zaretskii, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Eli Zaretskii, 2014/11/18
- Re: Network security manager, Eli Zaretskii, 2014/11/18
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Message not available
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Re: Network security manager,
Lars Magne Ingebrigtsen <=
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Toke Høiland-Jørgensen, 2014/11/18
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Re: Network security manager, Toke Høiland-Jørgensen, 2014/11/19
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/19
- Re: Network security manager, Ted Zlatanov, 2014/11/19
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/19
- Re: Network security manager, Ted Zlatanov, 2014/11/19
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/19