Date: Mon, 18 Dec 2000 11:27:52 -0800 From: "John Howie" <JHowie@msn.com> To: "Kurt Seifried" <seifried@securityportal.com>, "Alfred Perlstein" <bright@wintelcom.net>, "Moses Backman III" <penguinjedi@home.com> Cc: "Todd Backman" <todd@flyingcroc.net>, <freebsd-security@FreeBSD.ORG> Subject: Re: woah Message-ID: <017a01c06928$9e20ec60$9207c00a@local> References: <Pine.BSF.4.21.0012172347240.48779-100000@security1.noc.flyingcroc.net> <20001218133716.A550@cg22413-a.adubn1.nj.home.com> <20001218104954.B19572@fw.wintelcom.net> <005a01c06924$77186340$ca00030a@seifried.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Kurt Seifried" <seifried@securityportal.com> To: "Alfred Perlstein" <bright@wintelcom.net>; "Moses Backman III" <penguinjedi@home.com> Cc: "Todd Backman" <todd@flyingcroc.net>; <freebsd-security@FreeBSD.ORG> Sent: Monday, December 18, 2000 10:58 AM Subject: Re: woah > Stupid question but why did you send this to me and a mailing list, etc? > > > Kurt, I was pretty disappointed to see this article. If you tear > > it down the to base content, the only problem with SSL/SSH is stupid > > users. > > And the fact that SSL/SSH rely on said stupid users. Usually the weakest link... > I find the references (here and elsewhere) to stupid users as troubling. Most users are inexperienced, not stupid, and are certainly not clued up on Security. Their main focus is getting their work done and not knowing what it means when some obscure message pops up that lets them proceed even though they should not. No, the problem is STUPID PROGRAMMERS. We should write our applications so that users cannot proceed in such circumstances. The only reason that we build applications so that users can proceed is that 99% of the time the reason the keys have changed/the certificate does not match the server is because we have reconfigured our systems thus invalidating (or losing) the keys and certificates and it is perfectly safe to proceed. Maybe I should add STUPID ADMINISTRATORS to the list here. It is easy to blame one or more of users, programmers, and administrators for weak security but until we have the science perfected we all have to work together. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?017a01c06928$9e20ec60$9207c00a>