On 11/17/20 11:25 AM, Livingood, Jason wrote:
On 11/17/20, 11:05 AM, "ietf on behalf of Keith Moore" <ietf-bounces@xxxxxxxx on behalf of moore@xxxxxxxxxxxxxxxxxxxx> wrote:
Wow. That's incredibly arrogant and shortsighted. I cannot begin to
count, for instance, the number of Internet appliances out there (in
both consumer and industrial applications) that have http interfaces but
do not support https.
[JL] It sounds like those appliances have not had any software updates for many years - perhaps a decade or more. Perhaps they are already compromised or soon will be.
Wow.
There are many environments for which software updates are
infeasible. Many devices are deliberately operated on airgapped
networks, which doesn't mean they're entirely immune to attack but it
does mean that relying on updates from the net doesn't work. It's
extremely expensive to support a low-volume device with security
updates. Updates are quite reasonably seen as threats to operations in
manufacturing environments, where any disruption costs real money, and
any updates to firmware would require comprehensive retesting of the
entire system. And when a device doesn't need frequent updates, any
update is likely to be done by people who aren't familiar with the code,
and the chance of introducing more bugs than are fixed is quite high.
So basically, it's completely unrealistic to assume that every device
should be updated, or that updates improve the security of a device.
Keith
