Intra-cloud plaintext?
I was looking at the image linked in this article and was actually somewhat alarmed. Am I crazy, or does just dropping all traffic to plaintext within one's own cloud sound like horrible design?
I'm not suggesting all traffic in all networks requires encryption, but traffic between services within a major cloud's network? Breach the perimeter and someone suddenly can get at everything.
I'm not suggesting all traffic in all networks requires encryption, but traffic between services within a major cloud's network? Breach the perimeter and someone suddenly can get at everything.
Working B.S., Computer Science
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
Comments
-
ptilsen
Member Posts: 2,835 ■■■■■■■■■■
Well, that's actually what the article was about. The Google engineers interviewed are furious, understandably. I'm a little more perturbed that anyone who can circumvent or penetrate Google's front-end gets to see plaintext traffic on the back-end. -
pram
Member Posts: 171
I'm a little more perturbed that anyone who can circumvent or penetrate Google's front-end gets to see plaintext traffic on the back-end.
This describes like, 100% of every environment I've seen. -
instant000
Member Posts: 1,745
This describes like, 100% of every environment I've seen.
The one fallacy is that they have acquired links that are "supposed" to be "private".
These "private" links span across geographic areas.
This reminds me of this article:
Room 641A - Wikipedia, the free encyclopedia
One thing they could do would be enabling a hardware-based VPN mesh across their backend. Without knowledge of their environment, I cannot begin to know how troublesome this is for them. The same way they make their little throw-away servers, they could make throw-away VPN routers to protect their site-to-site communications. I'm imagining something like multiple parallel tunnels between sites, and just let routing dicate the data flow and path-sharing.
Of course, this added complexity probably hurts their availability, and we then suffer more frequent outages of youtube (hah, that might increase productivity).
And somehow, I then thought about this story:
This thought on availability had me then thinking about "Mafiaboy" but that's probably too much of a tangent right now.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
wes allen
Member Posts: 540 ■■■■■□□□□□
L2 encryption is going to blow up - The business case for Layer 2 | Senetas
And another cool link from a recent riskybiz podcast http://www.idquantique.com/network-encryption/products/cerberis-quantum-key-distribution.html -
wes allen
Member Posts: 540 ■■■■■□□□□□
Traditional L3 and up encryption has too much overhead and is way too slow for the amounts of data that they move around. Keep in mind that it wasn't all that long ago that many big sites still didn't use ssl by default outside of Auth, for all external traffic anyway.Am I crazy, or does just dropping all traffic to plaintext within one's own cloud sound like horrible design?
