The 4th rule of network security: don’t trust encryption

Following my 3 rules of network security post, I’ve been thinking a lot more about the NSA aspect, and the fact that even if you have managed trust on the client, the server and the network, there’s still another concern, because the number one way of building trust, of saying that machine is who it says it is, of saying I can pass this personal data across an open network safely, is encryption.

Every so often we hear that an encryption method is broken, whether it’s WEP in your WiFi router, Elliptic Curves in the NSA-approved RSA security tool, or Heartbleed in OpenSSL, the only solution is to reset and start again, and hope none of your old data was compromised.

So, don’t store data you can’t afford to lose, unless you really have to (in Europe, if it’s personal data, minimising storage and collection is the law). All your security should be reviewed and hosted regularly. Someone’s full time job should be keeping on top of patches, renewing security credentials, including SSL certificates and passwords, and never chain credentials as a failure in one will lead to a cascade failure of your entire stack. Perfect Forward Security, for example is designed to avoid using the SSL certificate to generate the session key, so that any encrypted stream is not securely dependent on maintaining the privacy of the SSL certificate.

Advertisements

9 thoughts on “The 4th rule of network security: don’t trust encryption

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s