Agility Loop

A article over at PCWorld yesterday entitled Hacking Impresario: ‘Windows Safer Than Mac’ quotes the organizer of Pwn2Own stating that Windows 7 is more secure than Snow Leopard.

Contest organizer Aaron Portnoy, who is the security research team lead with 3Com TippingPoint, the sponsor of Pwn2Own, told Computerworld’s Gregg Keizer that:

“Safari will be the first to go. [Safari will] be on Snow Leopard, which isn’t on the same level as Windows 7.”

Of course this stance is disputed by other security impresarios (talk about an author using a thesaurus).

Microsoft has been THE target of hackers for so long that they had to have learned.  Mac has had the privilege of being under the radar for a long time since they were the plucky underdog.  However, as their sales rise, more hackers will start targeting the platform.

And it also shows that marketing is a really king.  For years I have said that a large part of Microsoft’s rise as been marketing.  Mac has been touting its security and I even hear my parent’s telling me Mac’s are more secure!  I doubt this will perception will change any time soon, but it is a little vindicating to see reality starting to bubble up in the press.

Just read a new Technet article detailing some of the new PKI features in Windows 7 and Windows 2008.  Some overall interesting stuff there, but what I really hadn’t seen before is support for HTTP Enrollment for PKI certificates.

One of the challenges of any PKI is re-enrollment of entities.  So, for example, a new laptop is provisioned and given to a user.  During provisioning, a device certificate is installed onto the machine (either via auto-enrollment or manually installed).  However, once that laptop leaves the IT department, the goal is to do as less “touch” as possible in the future.

In an environment where all of the machines are on the same domain and PKI is managed in-house, enrollment is a cinch.  However, more and more PKI is an out-sourced service.  PKI can be difficult (although to be honest sometimes that is over-emphasized).  If I can pay someone to manage it for me, it is probably more secure to let the experts actually manage it.  BUT, if it is outsourced, how do I allow my machine to get certificates?  In the MS PKI world, I may have to create a forest trust so that my machines can enroll and then re-enroll.

The addition of HTTP Enrollment allows enrollment requests to be performed over HTTP/S.  So, there is less of a need for forest relationships and more of an ability to out-source PKI.  It actually makes the Microsoft CA a much more attractive option.

All this being said, I expect that HTTP Enrollment will only work with Windows 7?  If that is the case, it will take some time for the impact of this new technology.

UPDATE: From doing some more digging, this capability will only work with Windows 7.  BUMMER.