I recently saw that researchers had published their findings on security flaws in RC4 in TLS which led to some articles being churned out with eye-catching heading such as “HTTPS is broken”. A decent write-up on the issue can be found on the Naked Security blog.
But this got me thinking about the whole relationship security professionals have with researchers. It’s kind of a love hate relationship. Researchers find flaws, bugs and general ways to bypass security controls, algorithms, processes and all that other good stuff.
The question becomes though, is it really broken if it was never fixed in the first place? The point being, it is an accepted fact that nothing is ever 100% secure. As Bruce Hallas is fond of saying, “If it is made by man it can be broken by man.” Therefore, it is not a matter of if a vulnerability is discovered in a security mechanism, but when. Once a vulnerability is discovered, be it by a researcher or an 8 year old messing around with her Rasberry Pi, it then falls to business security people to determine how likely that attack is to happen. Based on their viewpoint it may not be anything to worry about, or they may decide that this is something that is needed to be fixed urgently. However, beyond this the business owner ultimately decides whether they want to run with the risk or not. Which is why although researchers have demonstrated chip and pin can be defeated, banks had taken the view that for business purposes it is sufficient. Similarly, despite passwords being universally regarded as being about as useful as a chocolate teapot, they are still used as the primary authentication mechanism for the majority of web-based applications in the world.
Perhaps what we don’t have enough of in the information security industry is more collaboration between researchers and security professionals and the business. Although, this particular research team have been quite pragmatic about the whole situation and acknowledge the likelihood today is a bit slim we still see some researchers and industries bickering in public over whether they should be adopting a certain security posture or another.
Can’t we all just get along? Nah, where would the fun in that be?
Javvad Malik 