This is an important topic presented by Mr. Krebs. We have conditioned ourselves and our end users to see the little lock next to an address as an “all clear” sign. That is no longer the case. SSL is becoming truly ubiquitous. We have to look beyond the lock and we have to educate about what certificates are and how they work and what to verify and consider.
This is a very serious vulnerability that should be addressed on all applicable web servers. Please see the following links for more information.
While I have battled and complained against the PCI DSS in the past, I am in complete agreement with the PCI Council when it comes to enforcing best practices around SSL and TLS vulnerabilities. The changes in DSS3.1 are valid, important, and should be welcomed by the IT security community.
Though this is only a small first step, it is an important one. There is simply too much valuable information available on Federal websites to not take as many valid precautions as possible.
This is an excellent explanation of the changes announced by the Payment Card Council (PCI) concerning the use of SSL as a form of strong cryptography. Please take note of Mr. Man’s explanation and the impacts these changes will have on compliance efforts.
Kudos to Google for continuing to fight this fight and lead their browser users to a safer environment. This issue could have been easily ignored.