Another entry in the internet security hall of shame....
Dave Howe
DaveHowe at gmx.co.uk
Mon Aug 29 11:27:27 EDT 2005
James A. Donald wrote:
> SSL works in practice, X509 with CA certs does not work
> in practice. People have been bullied into using it by
> their browsers, but it does not give the protection
> intended, because people do what is necessary to avoid
> being nagged by browsers, not what is necessary to be
> secure.
Indeed so - however, if Google makes it "just work" then there will be a
large swathe of people out there wondering "what does this DIGITAL SIGNATURE"
button do in gmail?" plus a smaller subset who have google talk and can perform
secure e2e voip using x509 certs that they don't even know they have.
Its not ideal, but its not a bad thing either - a little more security, using
a known method, without any individual user having to know or care how it works
(and lets face facts here, no solution that requires an end user to get his
finger out and do something without being forced to, no matter how trivial the
task is, ever had a decent update)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list