[Cryptography] Encryption opinion
ianG
iang at iang.org
Sun Aug 24 07:40:26 EDT 2014
On 19/08/2014 07:55 am, Peter Gutmann wrote:
> Tom Ritter <tom at ritter.vg> writes:
>
>> None of those sites accepted the SSL handshake. I'm certain that there are
>> still some banks out there that allow weak ciphers, but saying it's the norm
>> does not seem to be correct from my testing.
>
> Uhh, you've misunderstood the point I was trying to make: If you do your
> online banking/eBay buying/whatever and use weak crypto, nothing bad will
> happen...
The bad things that seem to happen at the user level rely on the split
between HTTP and HTTPS, in that users cannot tell the difference and get
phished.
Pervasive HTTPS would be one solution, because it then becomes
economically worthwhile for the browsers to work on the problem.
Otherwise, there is no economic solution seen to get the browsers to
work on secure UX. While the TLS people are still obsessed about how
many bit-angels they can paint on an algorithmic pin, and HTTPS is a bug
to the UX crowd not a feature, there will be only marginal change to the
deployment ratio of HTTPS.
> Corollary: ...because there's no need to attack the crypto, there
> are a thousand [1] easier ways to get credit card numbers and whatnot than via
> the crypto. For example https://www.google.com/search?q=fullz+dumps.
Right. The crypto's purpose isn't to defeat the worst the NSA can throw
it at, but to assist the user in safely avoiding crooks. But the NSA
has been ueber-successful in setting our agenda as opposing them, not
the crooks who steal value. The latter isn't practical, is unreachable,
and the former is ignored; the users lose both ways.
iang
More information about the cryptography
mailing list