>The author attacks blog posts that state the current best-practices
No, I'm attacking the fact that people blingly follow blog posts that have been, at some point, what their author believed were best practices.
> But then goes on to recommend several books that are even more out of date than the blog posts.</cite>
Which is fine, as long as they are read for what they are supposed to be: Either introductions or specializing on a specific topic. I wouldn't have chosen them otherwise.
> Second, instead of allowing sysadmins to find and follow simple, well-researched best-practices, the author instead wants each person to thoroughly research the annals of cryptography in order to then come to their 'own' conclusion
It is up to your own self-conception as a sysadmin as to how deep you want to dive. When interviewing (non-junior grade) sysadmins, I challenge them on security knowledge just as much as other skills. And I know I'm not alone with that. A certain degree of security awareness is not a "nice to have" typoe additional skill. It's vital for everyone that has machines connected to the internet. How far he/she can dive is solely limited by the economics and time constrains. Which is why sensible defaults are needed from vendors and distros (see my other response).
> Most sysadmins won't do this.
Which is a real problem, and again, there should be some effort remedying this, but currently there isn't. That's why I plea to sit down and at least learn about the basics. What "the basics" are obviously depends greatly on your educational background, but if AES, RC4 and PFS do not ring a bell, and you are a professional sysadmin who runs SSL-secured web servers, you are not worth your money.
> (this why you're always told not to roll your own cryptography)
Nobody said anything about rolling your own cryptography. But if you at least have read one of Ivan's books, you can at least make a /qualified decision/ on how credible a config proposed in a "random blog post" is, without having to come up with the complete solution by yourself.
> find the current best practices from a reputable source (like Qualys) and use those.
Which is ok -- if you run a small setup and you at least use SSLLabs to verify your setup. The more responsibility you have, and the more security is required, the more you should dive in and have a qualified opinion on how your SSL/TLS setup should look like.
No, I'm attacking the fact that people blingly follow blog posts that have been, at some point, what their author believed were best practices.
> But then goes on to recommend several books that are even more out of date than the blog posts.</cite>
Which is fine, as long as they are read for what they are supposed to be: Either introductions or specializing on a specific topic. I wouldn't have chosen them otherwise.
> Second, instead of allowing sysadmins to find and follow simple, well-researched best-practices, the author instead wants each person to thoroughly research the annals of cryptography in order to then come to their 'own' conclusion
It is up to your own self-conception as a sysadmin as to how deep you want to dive. When interviewing (non-junior grade) sysadmins, I challenge them on security knowledge just as much as other skills. And I know I'm not alone with that. A certain degree of security awareness is not a "nice to have" typoe additional skill. It's vital for everyone that has machines connected to the internet. How far he/she can dive is solely limited by the economics and time constrains. Which is why sensible defaults are needed from vendors and distros (see my other response).
> Most sysadmins won't do this.
Which is a real problem, and again, there should be some effort remedying this, but currently there isn't. That's why I plea to sit down and at least learn about the basics. What "the basics" are obviously depends greatly on your educational background, but if AES, RC4 and PFS do not ring a bell, and you are a professional sysadmin who runs SSL-secured web servers, you are not worth your money.
> (this why you're always told not to roll your own cryptography)
Nobody said anything about rolling your own cryptography. But if you at least have read one of Ivan's books, you can at least make a /qualified decision/ on how credible a config proposed in a "random blog post" is, without having to come up with the complete solution by yourself.
> find the current best practices from a reputable source (like Qualys) and use those.
Which is ok -- if you run a small setup and you at least use SSLLabs to verify your setup. The more responsibility you have, and the more security is required, the more you should dive in and have a qualified opinion on how your SSL/TLS setup should look like.