Re: PHP mysql_excape but need to search for those items [message #178419 is a reply to message #178418] |
Sat, 16 June 2012 13:25 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/16/2012 2:33 AM, Arno Welzel wrote:
> Jerry Stuckle, 16.06.2012 03:07:
>
>> On 6/15/2012 4:36 PM, Arno Welzel wrote:
>>>
> [...]
>>> To read more about:<http://www.kb.cert.org/vuls/id/800113>
>>>
>>> Just because you can not imagine that his happens in reality does not
>>> mean that you can ignore the problem.
>>>
>>
>> Quite frankly, I don't believe everything I see on the web. Do you have
>> any proof this has actually occurred?
>
> A well documented security hole does not exist for you, as long as
> nothing worse happens to you?
>
Sure - but how "open" is this security hole? How easy is it to take
advantage of?
You can say the same thing about 256 bit encryption. It's not secure -
it can be hacked. However, it would take all the computers in the world
longer than the universe has existed to hack it.
Or every time I leave my house, there is the security risk that someone
will break in and take everything. So I guess I should never leave my
house.
The fact is, "security holes" exist all around us. Just because the
possibility exists does not mean it is a vulnerability to be concerned
about.
These holes require the hacker be able to execute a specific pattern of
steps, which can easily be detected and prevented, as the cert.org
article stated. This patter can easily be detected and prevented. And
all of these security holes have had patches available for 4 years. No,
I don't consider these security holes to be significant.
> ["Trustworthy" CAs]
>>> VeriSign is also on the list of the CAs which had at least one security
>>> problem:
>>>
>>> < http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z8 20120202>
> [...]
>>> < http://www.thetechherald.com/articles/DigiNotar-security-incident-goes-from -bad-to-worse>
> [...]
>> Again, I don't believe everything I see on the Internet. But I have
>> used both Thawte and Versign, and know what a company has to go through
>> to get a certificate.
>
> I know as well what it takes to get a SSL certificate signed by
> VeriSign. Not much... generally just money.
>
> On what base do you trust VeriSign or Thawte?
>
I trust them because I have several clients with their certificates.
And it takes a lot more than just money to get the first certificate.
Renewals aren't bad, because you already have proven who you are previously.
> [...]
>>> As i already said: Don't trust a CA, only trust (or don't trust) the
>>> certificate. If it changes your browser will immediately tell you - even
>>> if it was signed by a CA.
>>
>> So, what is your solution? Just telling someone not to trust a CA is
>> not a solution.
>
> That *is* the solution, if the CA is not trustworthy.
>
>
That is not a solution. But you don't have one. All you can do is piss
and moan.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|