[Linux-aus] comment for an article on Government website accessibility
Paul Coldrey
paul at ensigma.com.au
Fri May 29 14:05:26 EST 2009
Rhett Kipps wrote:
>
> Quite interesting that it claims email is insecure then:
> a) hosts a webform without using SSL, ensuring that is not encrypted
> either, and susceptible to a MITM attack;
> b) suggests postal mail to the address provided in the clear over the
> web is somehow more secure, although also susceptible to a MITM attack.
>
> Seems to be a load of rubbish. If they were genuinely concerned about
> security, the webform would utilise SSL, and the page detailing the
> "secure" postal address should also be served over SSL to ensure the
> web server's identity.
I would have thought the main reason not to post an email address is
because it would get inundated with spam like every other email address
that is listed on the web.
Whilst at a theory level, I agree entirely with Rhett's comments:
1. a MITM attach on the form is a non-trivial undertaking - far trickier
than spoofing an email (which is of course completely trivial)
2. intercepting snail mail is surprisingly tricky right up to the point
where it hits the mail box. Before this the only real risk is the mail
man tasked with making the delivery (in processing there are lots of
machines and lots of cameras where ever people are involved). Hence if
it is deposited securely then it is quite secure from all but a very
small bunch of Australia Post employees.
I guess my point (if I indeed have one) is that we all know most pollies
are "dumb" when it comes to techonology. I am not convinced it is
helpful to snipe at them at this level. Let's get them to understand
open source is a viable alternative,.. then we can start to teach them
about what is really involved in web security. Personally, I think it
would be pretty stupid for Kevin Rudd to advertise an email address.
Cheers,
Paul
More information about the linux-aus
mailing list