[Cryptography] All applications need top security (was Re: Director GCHQ speaks at MIT)
Perry E. Metzger
perry at piermont.com
Wed Mar 9 14:44:41 EST 2016
On Wed, 9 Mar 2016 13:55:22 -0500 Jerry Leichter <leichter at lrw.com>
wrote:
> *If* we have to maintain such distinctions, however, and important
> question is whether we can somehow give users a reasonable,
> understandable way to specify the level appropriate for a given
> connection/piece of data.
I think the experience of the last few decades says "no, users are not
able to make security critical decisions of this sort in a reliable
way." We've tried for a very long time without success.
Note that I include almost everyone present here, including myself, on
that. It is simply too hard to make such decisions on a routine
basis. You will make mistakes.
It is better to simply presume you need the best security you will
ever need (say the same security you need when contacting your bank)
even if all you're doing is checking out prices on your online grocer.
I'm a big believer in removing as many security knobs from the user as
possible. As Ian (I think) has said on this list in the past, "there
should be one mode, and it should be secure".
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list