Good call - operating process are more critical to security outcomes than technology.
But it can be asserted that even SSL is not highly reliable, since it relies on externally (from the security perspective) managed instrastructure called DNS. A 'bad' or hacked ISP DNS can mislead its users into simple man-in-the-middle attacks.
Coupled with the lack of sound auditing in SSL transferred data, the business risks mount up.
It's time for fundamentally treatment of these mechanisms


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/60/10554#10554