Encryption headaches


By Joseph Wentzel

Early Last week I was reminded of the headaches that can be encountered with encryption. A site we are dependent on has installed a revoked certificate and our policy has no wiggle room on whether we can still connect.

People who are supposed to know better have a certificate that has expired, so instead of going out and getting a new one, they find they have an old one laying around (the fact it was revoked and already expired not withstanding) and go ahead and install it as a cost savings measure. After I get done shaking my head in disbelief and wondering who could have thought such an act was actually a good idea, I begin to wonder about our users.

Our poor personnel that have to connect to the site to manage specific items are now barred from doing so, by best practice. They don’t understand this. All they see is that we no longer allow them to do their job. A quick explanation that it is on the provider’s site does little to help. They still want me to supply a solution.

An email conversation between myself, our staff and the provider lead to three possible solutions:

1) Install a new certificate – the ideal solution.
2) Reinstall the expired, but not revoked certificate as we can work with it – a poor solution.
3) Remove SSL/TLS from the equation – another poor solution.

Not much in the way of solutions and with poor staff that don’t really understand. These are not technically illiterate people. They understand the reasons for security. They just aren’t in our field and don’t understand the specifics.

If reasonable people that enjoy the benefits of IT every day and manage devices through the use of technology have problems with this, then what about the average consumer?…Click here to read full article.