On Fri, Aug 13, 2010 at 09:32:57AM -0700, Jeff Simmons wrote: > It wouldn't surprise me if there's been some blowback from the > adoption of PCI-DSS (Payment Card Industry Data Security > Standards). As someone who has had to help several small to medium > size businesses comply with these 'voluntary' standards, the irony > of the fact that the big banks that require them often aren't in > compliance themselves hasn't escaped my notice.
In the past month, we've had several customers at work suddenly insist that we make modifications to their firewalls and/or load balancers to redirect *all* incoming HTTP traffic to HTTPS (which of course isn't always entirely sane to do on proxying devices, but they apparently don't trust their server admins to maintain an HTTP redirect). Most of them cited requirements from their PCI-DSS auditors. One apparently was outright told that their redirects were "a security problem" because they presented an open socket on port 80, and they needed to be refusing all HTTP to their servers at the firewall. I think we gave them sufficient wording to convince their auditor that blocking access to the redirect itself wasn't going to do anyone any good. -- { IRL(Jeremy_Stanley); PGP(97AE496FC02DEC9FC353B2E748F9961143495829); SMTP(fu...@yuggoth.org); IRC(fu...@irc.yuggoth.org#ccl); ICQ(114362511); AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fu...@yuggoth.org); MUD(kin...@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); } --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com