mailing list archives
Re: General security question
From: Carson Gaspar <carson () taltos org>
Date: Sat, 11 Nov 2000 18:32:05 -0800
--On Saturday, November 11, 2000 12:31 PM -0500 "Marcus J. Ranum"
<mjr () nfr com> wrote:
By the way, as a general rule, a VPN is useless if you don't know
anything about the security at the other end. Indeed, the whole notion
of doing a secure transaction/data transfer to a site where you don't
know anything about the security is kind of dubious.
A _minor_ disagreement. A VPN provides privacy up to the partner's demarc.
At that point liability for any breach of privacy is the partner's (either
on their net, or because they exposed the keying material). Unauthorized
access is also the fault of the partner. This may be sufficient for some
applications. It certainly was for certain financial apps at a past
employer, as the VPN was to protect the customer's data, not ours. So bad
security on their part could only hurt them, and we had cover on the PR and
legal fronts. By so doing, we _enabled_ secure transactions, but did not
Of course, in such cases you should never re-use keying material between
VPNs, and should create your authentication and authorization limits
knowing that the remote end may be compromised.
Carson Gaspar -- carson () taltos org
Queen Trapped in a Butch Body
firewall-wizards mailing list
firewall-wizards () nfr com