From owner-freebsd-security Tue Dec 19 11:49:21 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 19 11:49:18 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pluto.psn.net (pluto.psn.net [207.211.58.12]) by hub.freebsd.org (Postfix) with ESMTP id 0168F37B402 for ; Tue, 19 Dec 2000 11:49:18 -0800 (PST) Received: from cust-106-201.as03.nycm.eli.net ([209.210.106.201] helo=coresync) by pluto.psn.net with smtp (PSN Internet Service 3.20 #1) id 148Sko-0004Cj-00; Tue, 19 Dec 2000 12:48:54 -0700 From: "Jonathan M. Slivko" To: "John Howie" , "Kurt Seifried" , "Alfred Perlstein" , "Moses Backman III" Cc: "Todd Backman" , Subject: RE: woah Date: Tue, 19 Dec 2000 14:50:32 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 In-Reply-To: <017a01c06928$9e20ec60$9207c00a@local> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I totally agree with that statement, John :) -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of John Howie Sent: Monday, December 18, 2000 2:28 PM To: Kurt Seifried; Alfred Perlstein; Moses Backman III Cc: Todd Backman; freebsd-security@FreeBSD.ORG Subject: Re: woah ----- Original Message ----- From: "Kurt Seifried" To: "Alfred Perlstein" ; "Moses Backman III" Cc: "Todd Backman" ; Sent: Monday, December 18, 2000 10:58 AM Subject: Re: woah > Stupid question but why did you send this to me and a mailing list, etc? > > > Kurt, I was pretty disappointed to see this article. If you tear > > it down the to base content, the only problem with SSL/SSH is stupid > > users. > > And the fact that SSL/SSH rely on said stupid users. Usually the weakest link... > I find the references (here and elsewhere) to stupid users as troubling. Most users are inexperienced, not stupid, and are certainly not clued up on Security. Their main focus is getting their work done and not knowing what it means when some obscure message pops up that lets them proceed even though they should not. No, the problem is STUPID PROGRAMMERS. We should write our applications so that users cannot proceed in such circumstances. The only reason that we build applications so that users can proceed is that 99% of the time the reason the keys have changed/the certificate does not match the server is because we have reconfigured our systems thus invalidating (or losing) the keys and certificates and it is perfectly safe to proceed. Maybe I should add STUPID ADMINISTRATORS to the list here. It is easy to blame one or more of users, programmers, and administrators for weak security but until we have the science perfected we all have to work together. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message