On Mon, Aug 09, 2021 at 02:46:22PM -0400, Phillip Hallam-Baker wrote:
> While I agree with what you are saying about Fastly, Cloudflare etc, I am
> very much aware of what they are doing. But you are overlooking one very
> important qualifier, they didn't just deploy and forget, they are
> actively monitoring. and adapting their approach to reflect changing
> circumstances.
>
> If someone is going to sell any mitigation measure for any form of attack,
> they are going to have to continuously monitor performance or they will be
> quickly overwhelmed.
Right, unmonitored security is an oxymoron.
> One lesson that most of us in the security area have learned but some
> obstinately refuse to learn is that it is the fault of implementers if the
> user can't use a system securely and it is the fault of designers and
> architects if zero effort security is not possible.
I don't think you can literally have "zero effort", since monitoring is
never zero effort. The closest thing we know how to do at close to
"zero effort" is unauthenticated opportunistic security, as a defence
against pervasive monitoring. And even there, the server operator still
has to make some minimal effort to ensure the TLS stack is not broken.
--
Viktor.
