[Cryptography] Browser JS (client side) crypto FUD
Lodewijk andré de la porte
l at odewijk.nl
Fri Aug 29 13:47:04 EDT 2014
2014-08-03 15:33 GMT+02:00 ianG <iang at iang.org>:
> It also works in the sense that better locks work. They aren't
> unbreakable, but they do move the burglar on to the next house. Which
> is all we need. This is a self-reinforcinc cycle, slowly everyone
> upgrades over time together, as they can afford it.
>
> What it isn't is the old "security must be perfect" nonsense that was
> peddled in the early days. We all know a perfect lock on a flyscreen
> door is a stupidity, but apparently we have difficulty seeing what is
> wrong with ECC512 bit encryption on a website taking credit cards with
> some home written PHP.
>
I disagree with the logic here. We're not building houses. What we build
doesn't even have dimensions.
I'm not sure why home written PHP has to be bad. It's up to the writer in
any language. PHP isn't the problem.
You should also consider "why wouldn't I put a perfect lock on my
flyscreen?", because in this world the cost of ECC512 vs the cost of a
shorter one is so-so-so-so-so small.
Creditcards are an interesting example of how no technological security can
still work in the real world. And, incidentally, how expensive that makes
the security.
At the moment using "strong enough" crypto makes people go to the next
door. What really kills services and servers is n-day exploits; unupdated
known-vulnerability services. Advising against ECC512 is not going to help
that. (Advising in favor of it also doesn't matter much)
Let him have his perfect crypto. It's a step on the road to salvation. Who
knows, maybe one day he'll be happy he took it. I'm sure he'd never regret
it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140829/e8255dd5/attachment.html>
More information about the cryptography
mailing list