This message popped into my inbox late yesterday.
The survey in question contains the following questions.
All of my clients have gotten rid of SSL on their public facing Web sites.
The dilemma we have is that while SSL is dead, it is baked into so many products and appliances. My clients are therefore stuck with appliances and software products that have SSL hard coded into them. As a result, they will be dependent on their vendors to convert to TLS.
That said, what is the risk of using SSL internally? Not a good practice, but truthfully, what is the risk?
In my opinion, using SSL internally for the next 12 to 24 months would not be the end of the world as long as it does not become a significant attack vector.
It will be interesting to hear the results of this survey.
