Failing As A Service

Ars has put up an article detailing a recently released paper that used an EC2 instance on Amazon’s cloud to break 512 bit encryption in just a couple hours for a grand total of less than $100.  Technically speaking this isn’t surprising.  Moore’s Law (not really a law) is thing, pretty much everyone who knows anything about computers has heard it and knows the gist of it.  And 512 bit encryption has’t been a recommend best practice in a long LONG time.  It’s no surprise that the computing horsepower needed to break encryption from the 1990’s is easy and cheap to acquire.

However as the article points out there are still servers on the Internet that use 512 bit keys for encryption.  I’d hazard a guess that any server running 512 bit keys probably isn’t getting patched either.  In fact I bet it’s been a long time since they have been touched by an admin.  The Internet in general would be better off without those servers.  Maybe it’s time for the web browsers of the world to start throwing up the scary red title bars and warnings you get if you go to a site with an improper or invalid SSL cert?  It should be easy enough for the browser to detect if the encryption is weak and accordingly inform the user.  Hopefully these are not e-commerce servers of any sort and the only people who are affected by the eventual “issues” will be the people who aren’t maintaining them (or paying someone to maintain them on their behalf)