In the PKI world, we're taught to consider flawed certificates to be the same as no certificate. Clearly the Internet would come crawling to a halt if we actually followed that advice. Notably, the 3 percent figure is across all port 443 websites. The larger, more popular websites had a better name validity rate of 28 percent.
I spoke with Jeremiah Grossman, founder and CTO of WhiteHat Security, about what it would take to make the Internet a significantly less toxic environment. I enjoyed his comments and candor, as compared to many of the canned, industrial comments that I got from other company figureheads. His response: "Blood and loss of life, perhaps somebody important and well known." This sounds like a guy that has been in the trenches for more than a few years.
I mean, it's hard to disagree when the two of the most popular and underpinning protocols of the Internet, DNS and SSL, are both still horribly implemented after almost three decades of use. Grossman said it even better when I asked him what security technology would have the most impact against malicious hacking. He said, "None of the real challenges are technical."
The event wasn't entirely disheartening, though. I spoke to Dov Yoran, partner of MetroSITE Group and one of the founders of the Cloud Security Alliance. I complimented him on all the early work the CSA has done and for what it has accomplished. The CSA is trying to ensure that solid, resilient, consistent, and even more important, verifiable security gets implemented and is measurable by cloud users. This is a pleasant break in what is usually the normal pattern where security is only bolted on after a huge tipping point event, which is the pattern for nearly every other nascent computer technology.
I was also pleased to see the efforts of people such as my new friend Martin McKeay, a security blogger and podcaster at Network Security Podcast. He has devoted a part of his professional life to the blog and podcasts, yet he readily admits that he doesn't make a dime from it.
Black Hat is a testament to a whole bunch of smart people who have the answers to what it will really take to make the world a safer place to compute -- that's a given. But when will all the good hackers have the necessary support of corporations, governments, and really, society in general, to help move us past the current anemic pace of improvement? And will it really take blood on the ground (or the banking system or stock market system crashing for a week) to get to real change? Right now I'm predicting that we won't be discussing the partial implementation of IPv6 until Black Hat 2020.
This story, "Waiting for an Internet security fix? Don't hold your breath," was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com.