Comment by lol768
2 years ago
At some point, isn't there some responsibility that rests with manufacturers for choosing to continue to support known-insecure standards?
How many browsers do you think support the TLS_NULL_WITH_NULL_NULL cipher?
2 years ago
At some point, isn't there some responsibility that rests with manufacturers for choosing to continue to support known-insecure standards?
How many browsers do you think support the TLS_NULL_WITH_NULL_NULL cipher?
> At some point, isn't there some responsibility that rests with manufacturers for choosing to continue to support known-insecure standards?
There should be. Also there should be liability for access control system customers for choosing low cost, insecure solutions. But just like in the InfoSec world, there are simply no consequences to companies that cheap out and fail at security. These companies just issue a press release saying “we take security very seriously” and continue on with their business.
It's often a compatibility thing too. Insecure standards can often coexist because they're the lowest common denominator. It's just a "password" stored and transmitted as plaintext.
A secure system would involve a PKI which increases complexity and management overhead significantly (you won't be able to just copy "passwords" from one system to another, etc).
Compat is a factor and valid in some instances. It's not valid at all in this case. The old systems are wholly insecure, and should not be offered at all.
This is just some faceless corp being cheap and ignoring the consequences, not their problem.
Browser manufacturers normally don't have contracts that binds them to supply product X for Y years.
Heh, You mean IE6 and ActiveX controls :D
I think the only reason why we have the amount of attention to security that we do in the software industry is because Internet enabled cheap automated large-scale attacks - enough so that even very low-value targets are well worth it.