I grit my teeth every time you say SSL is broken. Yet most of the time it isn't SSL that's broken, but the policies some have chosen to use to simplify our lives. So as an example, last episode, the problem with SSL server certificates, this isn't broken SSL, this is a broken policy. I recommend SSL very often to protect healthcare. I'm involved in all of that stuff going on in Washington, D.C. around healthcare IT. I often have to reverse misunderstandings. In addition, I have to point out that the recommendations that we're giving with healthcare are to use mutual-authenticated TLS to a well-controlled certificate or CA branch that is highly controlled, following a system inspection and business agreement. This isn't just server authentication to a list that some browser vendor chooses.I received an email from a colleague in GE's Energy division mentioning that he heard my feedback on this weeks podcast, clearly someone who was able to listen to the live recording. This morning I finally got to listening to the recording and sure enough my comment was his 'Comment #1' at almost minute 23. I was happily vindicated that Steve Gibson, the host of Security Now, agreed with my assessment. It was discussed and clarified for a whole 6 minutes (does that count against my 15 minutes of fame?). Policy is so important to think through, declare in writing, inspect for capability to enforce, and regularly audit that it is being executed.