20th Century Tech v A 21st Century World!
20th Century Tech v A 21st Century World!
One of the biggest smiles of the day was for this:
I smile, because it identifies a core problem, in that companies often have to be “forced” to change their ways. “Go, on make me”, they might say. “Well”, says the CTO, “We passed our audit/compliance review with flying colours, and everything is okay”.
The tweet says that perhaps Chrome is wrong. As a Professor who teaches cyber security, I agree with Chrome, and say that the accesses to the main Web site are insecure, and that users cannot determine if there’s a man-in-the-middle, or if this is a fake site. Someone capturing the network traffic will also be able to examine of the contents of the accesses to the site.
If an organisation such as the TV Licensing authority — and which is in great danger of being a target for fake sites — think that not having proper identification of their main site … for the cost of zero dollars (with Let’s Encrypt) … we really must worry:
If they don’t understand why they should have HTTPs over their whole site, we must worry that there is little understanding of the key risks involved (especially scamming risks), and perhaps need to go on a cryptography/PKI course.
I wrote an article recently about GDPR, and outlined that, at least, GDPR/NIS forces those who don’t do anything do at least do something …
Did you know that I recently informed — a couple of weeks ago — the Chair of the Board of a significant organisation…medium.com
So if it wasn’t for Google pushing Chrome, and with people like Troy Hunt and Scott Hellme, much of the industry would be quite happily sit back and do the same old things they have done for the last 40 years.
Conclusions
A whole lot of public sector authorities, including high risk ones such as law enforcement and health care, seem to think that they can stick their fingers in their ears, and hope that Chrome, cryptography and HTTPs will go away, and forget that their users will not be able to use their sites anymore, as Chrome dominates the market. So if their CEO still uses Internet Explorer, everything might be okay, but the world has moved on in the last 10 years, and there are no excuses for well supported sites to have HTTPs … it takes a few minutes to implement.
And so, at least, GDPR and NIS will get organisation who won’t do anything, to, at least, do something. Unfortunately, they have to be continually reminded to do things.
I think I might change the talk I’ll give on 17 October to … “20th Century Tech v A 21st Century World”, as I’ll be shown how cryptography can help build a more trusted, resilient and robust world: