Although secure websites remain the most common and reliable way to secure sensitive information as it flows across the Internet, the underlying encryption technology has been subject of a number of vulnerabilities. These include the BEAST and CRIME attacks, the Heartbleed bug, and most recently, the POODLE attack.
A few things to keep in mind:
- Most of these attacks, including POODLE, are attacks against older versions of the web site security protocol called SSL. Newer versions are called TLS and presently, TLS v1.1 and TLS v1.2 suffer from no known protocol vulnerabilities.
- The only exception was Heartbleed, which affected all protocols used by the security program OpenSSL. Here again, the value of free and open source software is reaffirmed as the open nature of OpenSSL is what allowed security researchers to not only identify the problem but to provide a fix for not just the technical bug but the underlying development process as well.
Those mainly at risk will be folks using old browsers on untrusted/public networks. While this doesn’t negate the potential danger of it (and certainly shouldn’t stop you from being cautious), it does reduce the circumstances where you might need to be actively aware of it. Checking that you’re immune from the attack is simple enough (in Firefox, click the green icon, then the Connection tab, and make sure the connection is using TLS 1.1 or TLS 1.2).
One of the worst things that can happen when a new attack is introduced is for unscrupulous individuals to whip folks into a needless frenzy, whether the end goal is to push a competing product, promote a new and untested idea, or to rush through flawed legislative changes.
A good response to security is generally more measured and informed not by how potentially scary the outcome might be but based on real world data about what’s happening right now. Fixing up all of the holes on a place as vast as the Internet will take a long time and involves not just releasing new fixes, but to also deal with old software that’s no longer getting updated.
The last bit is part of why there’s an element of “how is this still a thing” whenever we talk about security issues (the aforementioned BEAST attack has been around since 2011, for example) and support for older products is part of it. Information security is not just about safety but also about availability as well. Closing off a service to a portion of the community using older computers, browsers, smartphones, etc. may or may not improve the overall security posture of the College depending on what that information might be and what the risk is if that information is compromised.
I don’t really know what Bill Gates had in mind when he said, in 2004, that he would solve the spam problem in 2 years but it was probably something that nobody wanted to do because it would cut off way to many people off from their email. Pushing out big changes forcefully and in a centralized fashion is something that you can get away with as long your users and customers know what they’re getting themselves into, but it’s not an approach that always works.
Hence, the continued reliance on outreach and education. Believe me, when the time comes that I can flip a switch and make everything instantly more secure without any unintended consequences, I will do so and leave you all alone. Until then, you’re stuck with me.