Is cryptography where security took the wrong branch?

Anne & Lynn Wheeler lynn at garlic.com
Wed Sep 3 10:21:57 EDT 2003


At 10:09 PM 9/2/2003 +0000, Michael Shields wrote:
>I would agree that HTTPS has been more successful than WEP, in the
>sense of providing defense against real threats.  HTTPS actually
>defends against some real attacks, providing an effective answer to a
>clearly defined problem: preventing the exposure of sensitive
>information such as credit card numbers, even in the face of
>eavesdropping and server impersonation.  This is only one threat model
>and maybe not the most realistic one, but HTTPS does define it and
>address it.  Meanwhile, WEP is too weak to prevent any attacks; and
>even if it were not cryptographically weak, its stone-age key
>management would make it a poor tool for any network with more than a
>handful of users.

My view was that ipsec had been in progress for some time and not making a 
whole lot of headway. At the San Jose IETF meeting (fall '94?), VPN was 
introduced in a router/gateway working group. This caused quite a bit of 
consternation among the router vendors that didn't have processing to 
implement the required cryptography operations (and you saw some vaporware 
product announcements following the meeting). It also caused some 
consternation among the ipsec group. Eventually most of the router vendors 
upgraded to processors that could handle the VPN requirements and it 
started to make some deployment progress. The ipsec group somewhat came to 
terms by referring to VPN as lightweight ipsec (and the vpn group referring 
to ipsec as heavyweight security).

HTTPS came out about the same period. It basically is a transport layer 
protocol implemented in the application layer .... again ipsec 
implementation and distribution at the operating system level was not 
making a lot of progress ... and so a vendor could build HTTPS into their 
product and distribute it w/o having to worry about dependencies on other 
vendor components.

There is some postings in sci.crypt that while you see pervasive 
distribution of HTTPS support ... supposedly the percentage of web sites 
that actually offer up HTTPS (and SSL domain name server certificates) is 
around the one percent range.
--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
  


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list