[Cryptography] Encryption opinion

ianG iang at iang.org
Fri Aug 29 11:34:43 EDT 2014


On 28/08/2014 20:28 pm, Bear wrote:
> On Wed, 2014-08-27 at 10:47 +0100, ianG wrote:
> 
>> I spent many years over at Mozilla, trying to get them to do
>> something, anything about phishing.  They refused.
>>
>> Once, just once, patient long-winded argument got the engineers 
>> there to say "Oh, you have a point.  Right.  Phishing.  Our 
>> users.  Shit."
>>
>> To which they added:  "Now you have to go to IETF and PKIX 
>> committee and get them to tell us what to do."
>>
>> Boom.  The long and the short of it was that the browser vendors had
>> outsourced their security architecture to the standards groups.  (Why
>> they did this is a fascinating study in and of itself.)  So, now that
>> they had no architecture components for security they are entirely
>> dependent on the IETF and/or other folks ... *to tell them what to
>> do*.
>>
>> Yet, the IETF are unified in their consensus that phishing is not
>> their problem.  Perhaps, a cute social engineering thing that happens
>> to other people, but decidedly not their purview because it ain't no
>> MITM, dammit.
> 
> 
>> See now why I describe MITM as include phishing?
> 
> It becomes clear why you are eager to reclassify it as something 
> that the IETF is interested in stopping, but motivation is 
> subjective and facts are objective. The disconnect remains. 


I would not suggest that phishing was an MITM just for mere politics.
You and I disagree on the facts, but it's the net, that's what we do
here ;-)


> The IETF is a protocol group; if it isn't a problem that can be 
> solved via protocol, they regard it as being outside their mandate.  
> Even if there were general acceptance of the *idea* that phishing 
> is an MITM, it would be an MITM of a kind that cannot be solved 
> via protocol, and therefore an MITM that the IETF still would 
> not be interested in.  
> 
> Whether or not it is called an MITM doesn't matter; your problem 
> is that the IETF mandate is restricted to protocols.


Close.  My problem (the net's problem?) is that the IETF doesn't care
what happens outside their mandate.  They are happy to throw protocols
over the wall, and get back to cute protocols problems.

But the world has moved on from the 1980s.  Attacks are far more
sophisticated -- as y'all keep pointing out -- than can be modelled in
committee and a CS textbook.

Meanwhile, inordinate amounts of important groups follow IETF protocols
without thought.  They think they are done.  When there's a gap, oh
dear, no solution.

And of course, it's impossible to blame either group in isolation...
Hence I say that the 4 or so groups that are responsible for phishing
are locked in a deadly embrace of irresponsibility.


> At most, if you got a broad consensus, you'd force them to qualify 
> their statement and say more specifically what *kind* of MITMs are 
> and are not their purview.  In my opinion they've failed to provide 
> a working remedy even for those, but at least they are interested 
> in them. 
> 
> What you want sounds like an appeal to the (as yet unformed) IUTF, 
> Internet Usability Task Force, whose mandate specifically is to 
> recommend remedies to problems - particularly security problems - 
> caused by poor user interface.  That mandate definitely includes
> phishing - and many other security concerns, most notably including 
> my own pet peeve that there is no UI indication of the continuity 
> (or lack thereof) of counterparty identities in any cryptographically
> secured communication. 


:)  Yeah.  So there are any number of these groups out there, as Paul
Ferguson pointed out.  Suffice to say, forming a group or joining a
group is not the problem.

https://xkcd.com/927/

Meanwhile, you are definitely on the money in that the center of the
problem is the user interface.



iang



More information about the cryptography mailing list