I don't think this article is really helpful at all. The author attacks blog posts that state the current best-practices, but then goes on to recommend several books that are even more out of date than the blog posts. (Some of the books are 'theory' books and so presumably remain 'current' for longer, but not all of them).
Second, instead of allowing sysadmins to find and follow simple, well-researched best-practices, the author instead wants each person to thoroughly research the annals of cryptography in order to then come to their 'own' conclusion. Most sysadmins won't do this. Or they will miss something or make rookie mistakes (this why you're always told not to roll your own cryptography). To put it another way: "you should not roll your own choices about which cryptography to use".
So for the other 99% who just need to get it right and move on: find the current best practices from a reputable source (like Qualys) and use those.
Just to be clear, my books mentioned in the blog post (Bulletproof SSL and TLS and OpenSSL Cookbook) are most certainly not out of date. In fact, they are a rare example of books that are continuously maintained. I pledged to maintain them for as long as there are people interested in reading them!
>The author attacks blog posts that state the current best-practices
No, I'm attacking the fact that people blingly follow blog posts that have been, at some point, what their author believed were best practices.
> But then goes on to recommend several books that are even more out of date than the blog posts.</cite>
Which is fine, as long as they are read for what they are supposed to be: Either introductions or specializing on a specific topic. I wouldn't have chosen them otherwise.
> Second, instead of allowing sysadmins to find and follow simple, well-researched best-practices, the author instead wants each person to thoroughly research the annals of cryptography in order to then come to their 'own' conclusion
It is up to your own self-conception as a sysadmin as to how deep you want to dive. When interviewing (non-junior grade) sysadmins, I challenge them on security knowledge just as much as other skills. And I know I'm not alone with that. A certain degree of security awareness is not a "nice to have" typoe additional skill. It's vital for everyone that has machines connected to the internet. How far he/she can dive is solely limited by the economics and time constrains. Which is why sensible defaults are needed from vendors and distros (see my other response).
> Most sysadmins won't do this.
Which is a real problem, and again, there should be some effort remedying this, but currently there isn't. That's why I plea to sit down and at least learn about the basics. What "the basics" are obviously depends greatly on your educational background, but if AES, RC4 and PFS do not ring a bell, and you are a professional sysadmin who runs SSL-secured web servers, you are not worth your money.
> (this why you're always told not to roll your own cryptography)
Nobody said anything about rolling your own cryptography. But if you at least have read one of Ivan's books, you can at least make a /qualified decision/ on how credible a config proposed in a "random blog post" is, without having to come up with the complete solution by yourself.
> find the current best practices from a reputable source (like Qualys) and use those.
Which is ok -- if you run a small setup and you at least use SSLLabs to verify your setup. The more responsibility you have, and the more security is required, the more you should dive in and have a qualified opinion on how your SSL/TLS setup should look like.
Well, "don't roll your own crypto" advice has recently been compared to abstinence-only birth control. It sounds well in theory, but in practices is prone to not work at all.
This is because most defects in security come from application developers assembling poorly understood third party solutions in ways that the original authors never intended or even imagined to be possible. Best practices and secure defaults can only take you so far, so there is a genuine need for minimum competence standards, even if those are informal and not regulated.
Second, instead of allowing sysadmins to find and follow simple, well-researched best-practices, the author instead wants each person to thoroughly research the annals of cryptography in order to then come to their 'own' conclusion. Most sysadmins won't do this. Or they will miss something or make rookie mistakes (this why you're always told not to roll your own cryptography). To put it another way: "you should not roll your own choices about which cryptography to use".
So for the other 99% who just need to get it right and move on: find the current best practices from a reputable source (like Qualys) and use those.