By and large, this blog is for my own amusement. Anyone reading it, is a member of an exclusive club. Yet, it may have made a difference.
I recently wrote that the secure section of ssa.gov, the website of the US Social Security Administration, was not secure. As shown above, it was rated C, a really bad grade, at the SSL Server Test run by SSL Labs.
The main section of the site, the "www" portion, was perfectly secure, yet the section where citizens entered their userid/password (secure.ssa.gov) had two SSL/TLS security flaws.
These weren't headline-grabbing flaws; no security company was pointing a finger at Russian hackers. No one knows how many, if any, passwords leaked because of the flaws. And, judging by the page view reports from Computerworld, very few people read about them.
I tried to contact the Social Security Administration, but never heard back.
Despite all that, my previous blog may have made a difference. The previously insecure secure.ssa.gov is now, actually, really secure. The current rating from SSL Labs is shown above.
Thanks to Twitter user avareltech for pointing this out.
If there is a lesson here, it's that securing SSL/TLS (the protocols underlying HTTPS for secure web pages) is hard. A look at any full report from SSL Labs shows just how complicated it is. Claims that data is transmitted securely, should be taken with a grain of salt.
And, props to you for reading this far. If there is anything less likely to garner attention than Defensive Computing, it's good news.
No comments:
Post a Comment